Offense And Defense For Managing Security And Risk – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO


Threat management and security management have long been handled as different functions typically performed by different functional teams within an organization. The recognition of the need for continuous visibility and control across all assets has actually increased interest in trying to find commonalities between these disciplines and the schedule of a new generation of tools is enabling this effort. This discussion is really timely given the continued difficulty the majority of business organizations experience in drawing in and retaining competent security personnel to manage and safeguard IT infrastructure. An unification of activity can help to much better take advantage of these crucial personnel, minimize expenses, and help automate response.

Historically, danger management has been considered as an attack mandate, and is generally the field of play for IT operations teams. Often referred to as “systems management”, IT operations teams actively perform device state posture monitoring and policy enforcement, and vulnerability management. The goal is to proactively mitigate potential risks. Activities that enhance risk decreasing and that are performed by IT operations consist of:

Offensive Danger Mitigation – Systems Management

Asset discovery, inventory, and revitalize

Software application discovery, usage tracking, and license justification

Mergers and acquisition (M&A) threat assessments

Cloud work migration, tracking, and enforcement

Vulnerability evaluations and patch installs

Proactive help desk or systems analysis and concern response/ repair work

On the other side of the field, security management is deemed a defensive strategy, and is generally the field of play for security operations teams. These security operations groups are usually responsible for hazard detection, event response, and resolution. The objective is to react to a risk or a breach as quickly as possible in order to lessen impacts to the organization. Activities that fall squarely under security management and that are carried out by security operations consist of:

Defensive Security Management – Detection and Response

Hazard detection and/or hazard hunting

User behavior monitoring / insider risk detection and/or searching

Malware analysis and sandboxing

Event response and threat containment/ removal

Lookback forensic examinations and source determination

Tracing lateral risk motions, and further threat elimination

Data exfiltration identification

Effective companies, obviously, need to play both offense AND defense equally well. This need is driving companies to recognize that IT operations and security operations have to be as lined up as possible. Hence, as much as possible, it assists if these 2 teams are playing utilizing the same playbook, or a minimum of working with the exact same data or single source of truth. This means both groups ought to aim to utilize some of the exact same analytic and data collection tools and methodologies when it concerns managing and protecting their endpoint systems. And if companies count on the same personnel for both jobs, it definitely assists if those people can pivot between both jobs within the very same tools, leveraging a single data set.

Each of these offending and defensive tasks is crucial to safeguarding an organization’s copyright, reputation, and brand. In fact, managing and focusing on these jobs is what frequently keeps CIOs and CISOs up during the night. Organizations need to acknowledge opportunities to align and combine groups, innovations, and policies as much as possible to guarantee they are concentrated on the most immediate need along the existing threat and security management spectrum.

When it concerns handling endpoint systems, it is clear that companies are approaching an “all the time” visibility and control model that allows constant danger assessments, constant hazard tracking, as well as constant performance management.

Thus, organizations have to try to find these 3 crucial abilities when evaluating brand-new endpoint security systems:

Solutions that supply “all the time” visibility and control for both IT operations teams and security operations groups.

Solutions that supply a single source of reality that can be utilized both offensively for danger management, and defensively for security detection and response.

Architectures that easily integrate into existing systems management and security tool ecosystems to provide even greater value for both IT and security groups.

What We Took From Black Hat And Defcon This Year – Charles Leaver

Written by Michael Vaughn And Presented By Ziften CEO Charles Leaver


Here are my experiences from Black Hat 2017. There is a minor addition in approaching this year’s synopsis. It is large in part due to the style of the opening talk given by Facebook’s Chief Security Officer, Alex Stamos. Stamos projected the importance of re focusing the security neighborhood’s efforts in working better together and diversifying security options.

“Working much better together” is seemingly an oxymoron when taking a look at the mass competitiveness amongst hundreds of security companies striving for customers throughout Black Hat. Based off Stamos’s messaging throughout the opening keynote this year, I felt it essential to add a few of my experiences from Defcon also. Defcon has actually historically been an occasion for finding out and consists of independent hackers and security specialists. Last week’s Black Hat style concentrated on the social element of how companies need to get along and really assist others and one another, which has constantly been the overlying message of Defcon.

People checked in from all over the world last week:

Jeff Moss, aka ‘Dark Tangent’, the founder of Black Hat and Defcon, likewise wishes that to be the style: Where you aim to help people acquire understanding and gain from others. Moss desires guests to remain ‘good’ and ‘useful’ throughout the conference. That is on par with what Alex Stamos from Facebook conveyed in his presentation about security companies. Stamos asked that we all share in the responsibility of helping those that can not help themselves. He also raised another relevant point: Are we doing enough in the security industry to truly assist individuals rather than just doing it to make cash? Can we accomplish the goal of actually assisting individuals? As such is the juxtaposition of the two occasions. The main distinctions between Black Hat and Defcon is the more corporate consistency of Black Hat (from vendor hall to the presentations) to the true hacker community at Defcon, which showcases the creative side of exactly what is possible.

The company I work for, Ziften, provides Systems and Security Operations software applications – providing IT and security teams visibility and control across all endpoints, on or off a business network. We likewise have a pretty sweet sock game!

Numerous participants flaunted their Ziften assistance by decorating prior year Ziften sock designs. Looking good, feeling great!

The concept of signing up with forces to fight versus the corrupt is something most attendees from around the world accept, and we are not any different. Here at Ziften, we aim to really assist our consumers and the neighborhood with our services. Why offer or count on a service which is limited to just exactly what’s inside the box? One that offers a single or handful of particular functions? Our software is a platform for integration and provides modular, individualistic security and functional solutions. The whole Ziften team takes the imagination from Defcon, and we push ourselves to try and develop new, customized features and forensic tools where traditional security businesses would shy away from or merely stay consumed by daily jobs.

Providing all-the-time visibility and control for any asset, anywhere is one of Ziften’s main focuses. Our unified systems and security operations (SysSecOps) platform empowers IT and security operations groups to quickly fix end point issues, decrease general risk posture, speed hazard response, and enhance operations performance. Ziften’s safe and secure architecture delivers continuous, streaming endpoint tracking and historic data collection for enterprises, federal governments, and managed security companies. And remaining with 2017’s Black Hat style of collaborating, Ziften’s partner integrations extend the value of incumbent tools and fill the gaps in between siloed systems.

Journalists are not enabled to take pictures of the Defcon crowd, however I am not the press and this was prior to entering a badge needed location:P The Defcon hoards and jerks (Defcon mega-bosses using red t-shirts) were at a dead stop for a solid twenty minutes waiting for initial access to the four massive Track meeting rooms on opening day.

The Voting Machine Hacking Village got a lot of attention at the event. It was fascinating however absolutely nothing new for veteran guests. I suppose it takes something notable to garner attention around particular vulnerabilities.? All vulnerabilities for most of the talks and particularly this village have currently been disclosed to the appropriate authorities prior to the event. Let us understand if you require aid locking down one of these (taking a look at you federal government folks).

A growing number of individual data is appearing to the general public. For example, Google & Twitter APIs are easily and openly available to query user data metrics. This data is making it much easier for hackers to social engineer focused attacks on people and particularly persons of power and rank, like judges and executives. This discussion entitled, Dark Data, showed how a simple yet brilliant de-anonymization algorithm and some data allowed these 2 white hats to recognize people with severe accuracy and reveal really personal info about them. This should make you think twice about what you have actually set up on your systems and individuals in your work environment. Most of the above raw metadata was collected through a popular browser add-on. The fine tuning occurred with the algothrim and public APIs. Do you understand what internet browser add-ons are running in your environment? If the response is no, then Ziften can assist.

This presentation was plainly about making use of Point-of-Sale systems. Although quite funny, it was a tad frightening at the quickness at which one of the most commonly utilized POS systems can be hacked. This specific POS hardware is most commonly utilized when paying in a taxi. The base os is Linux and although on an ARM architecture and safeguarded by tough firmware, why would a company risk leaving the security of client credit card details entirely up to the hardware vendor? If you seek extra defense on your POS systems, then look no further than Ziften. We secure the most typically used enterprise operating systems. If you wish to do the enjoyable thing and set up the computer game Doom on one, I can send you the slide deck.

This person’s slides were off the charts exceptional. What wasn’t exceptional was how exploitable the MacOS is throughout the installation procedure of typical applications. Generally every time you install an application on a Mac, it requires the entry of your intensified opportunities. But what if something were to slightly modify code a moment before you entering your Administrator qualifications? Well, most of the time, most likely something not good. Anxious about your Mac’s running malware wise enough to detect and modify code on common susceptible applications prior to you or your user base entering credentials? If so, we at Ziften Technologies can assist.

We help you by not replacing all your toolset, although we often discover ourselves doing just that. Our goal is to utilize the recommendations and current tools that work from numerous suppliers, guarantee they are running and installed, make sure the perscribed hardening is certainly intact, and ensure your operations and security teams work more effectively together to achieve a tighter security matrix throughout your environment.

Key Takeaways from Black Hat & Defcon 2017:

1) More powerful together

– Alex Stamos’s keynote
– Jeff Moss’s message
– Visitors from around the globe collaborating
– Black Hat need to preserve a friendly neighborhood spirit

2) More powerful together with Ziften

– Ziften plays great with other software vendors

3) Popular current vulnerabilities Ziften can help prevent and resolve

– Point-of-Sale accessing
– Voting machine tampering
– Escalating MacOS benefits
– Targeted specific attacks

Now Vulnerabilities In Subtitle Packages For Movie Apps Have Been Found – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Do you like viewing movies with all the rage apps like Kodi, SmartTV or VLC on your devices? How about needing or desiring subtitles with those films and just getting the latest pack from OpenSubtitles. No problem, seems like a good evening in the house. Issue is, according to research by Check Point, you could be in for a nasty surprise.

For the hackers to take control of your ‘realm’, they require a vector or some way to get entry to your system. There are some common methods that happen nowadays, such as smart (and not so creative) social engineering techniques. Getting e-mails that appear to come from pals or co-workers which were spoofed and you opened an attachment, or went to some website and if the stars aligned, you were pwned. Generally the star positioning part is not that tough, only that you have some susceptible software running that can be accessed.

Given that the trick is getting users to work together, the target market can often be tough to find. However with this newest research study published, several of the major media players have a distinct vulnerability when it concerns accessing and decoding subtitle plans. The 4 primary media giants noted in the article are fixed to date, but as we have actually seen in the past (just take a look at the recent SMB v1 vulnerability problem) just because a fix is readily available, doesn’t imply that users are upgrading. The research study has also declined to show the technical information around the vulnerability as to enable other vendors time to patch. That is a great indication and the correct technique I think researchers ought to take. Inform the vendor so they can fix the issue and also announce it openly so ‘we the people’ are informed and understand exactly what to watch out for.

It’s difficult to keep up with the several methods you can get infected, however at least we have scientists who relentlessly try and ‘break’ things to discover those vulnerabilities. By conducting the appropriate disclosure techniques, they help everyone enjoy a much safer experience with their devices, and in this scenario, a fantastic night in viewing motion pictures.


With Ziften Endpoint Products Integration With Your Existing Architecture Is Easy – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


Security professionals are by nature a mindful bunch. Being cautious is a characteristic most folks likely have entering into this market given its objective, however it’s also undoubtedly a quality that is acquired over time. Ironically this is true even when it concerns adding extra security controls into an already established security architecture. While one may presume that more security is better security, experience teaches us that’s not always the case. There are actually various issues associated with releasing a brand-new security product. One that usually shows up near the top of the list is how well a brand-new product integrates with existing services.

Integrating concerns can be found in a number of flavors. Firstly, a brand-new security control shouldn’t break anything. But additionally, brand-new security products need to gracefully share threat intelligence and act on threat intelligence collected throughout a company’s entire security infrastructure. To put it simply, the new security tools need to work together with the existing ecosystem of tools in place such that “1 + 1 = 3”. The last thing that the majority of security and IT operations teams require is more siloed products/ tools.

At Ziften, this is why we have actually always focused on building and delivering an entirely open visibility architecture. Our company believe that any brand-new systems and security operations tools need to be developed with improved visibility and information sharing as essential design requirements. However this isn’t really a one way street. Creating easy integrations requires technology partnerships between industry vendors. We consider it our obligation to deal with other technology businesses to equally integrate our products, therefore making it easy on consumers. Regrettably, lots of vendors still believe that integration of security services, especially brand-new endpoint security services is incredibly challenging. I hear the issue constantly in consumer conversations. But data is now appearing revealing this isn’t necessarily the case.

Recent study work by NSS Labs on “sophisticated endpoint” products, they report that Worldwide 2000 clients based in North America have been pleasantly shocked with how well these kinds of services integrate into their existing security architectures. According to the NSS research titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS consequently presented in the BrightTalk webinar listed below, respondents that had actually already deployed innovative endpoint products were much more positive regarding their ability to integrate into already established security architectures than were participants that were still in the planning stages of purchasing these services.

Specifically, for respondents that have actually already released innovative endpoint services: they rank integration with already established security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Horrible) 0.0 %

Compare that to the more conservative responses from people still in the preparation phase:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Horrible) 3.6 %

These reactions are encouraging. Yes, as noted, security folks tend to be pessimists, however in spite of low expectations respondents are reporting favorable outcomes with respect to integration experiences. In fact, Ziften consumers usually exhibit the exact same preliminary low expectations when we initially go over integrating Ziften services into their existing ecosystem of products. However in the end, clients are wowed by how simple it is to share info with Ziften services and their existing infrastructure.

These study outcomes will ideally assist ease concerns as more recent product adopters may read and rely on peer suggestions before making purchase choices. Early traditional adopters are clearly having success releasing these products which will ideally assist to decrease the natural cautiousness of the real mainstream.

Certainly, there is substantial differentiation between products in the space, and companies need to continue to carry out appropriate due diligence in comprehending how and where products integrate into their broader security architectures. But, fortunately is that there are solutions not just fulfilling the requirements of consumers, but in fact out performing their preliminary expectations.

Petya Variant Flaw Is Real Trouble Unless You Are A Ziften Customer – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Another outbreak, another nightmare for those who were not prepared. While this newest attack is similar to the earlier WannaCry threat, there are some distinctions in this latest malware which is an alternative or new strain much like Petya. Called, NotPetya by some, this strain has a great deal of problems for anybody who encounters it. It may encrypt your data, or make the system completely inoperable. And now the e-mail address that you would be required to get in touch with to ‘possibly’ unencrypt your files, has actually been removed so you’re out of luck getting your files back.

A lot of information to the actions of this threat are openly readily available, but I wished to touch on that Ziften consumers are protected from both the EternalBlue threat, which is one system used for its proliferation, and even better still, a shot based upon a possible flaw or its own type of debug check that removes the hazard from ever performing on your system. It could still spread out nevertheless in the environment, however our defense would currently be presented to all existing systems to stop the damage.

Our Ziften extension platform allows our clients to have defense in place against certain vulnerabilities and destructive actions for this risk and others like Petya. Besides the particular actions taken against this particular variation, we have taken a holistic approach to stop particular strains of malware that conduct different ‘checks’ versus the system prior to executing.

We can also utilize our Search capability to try to find residues of the other proliferation strategies used by this danger. Reports show WMIC and PsExec being used. We can look for those programs and their command lines and usage. Despite the fact that they are genuine processes, their usage is typically uncommon and can be notified.

With WannaCry, and now NotPetya, we expect to see an ongoing rise of these types of attacks. With the release of the current NSA exploits, it has offered enthusiastic cyber criminals the tools needed to push out their items. And though ransomware risks can be a high commodity vehicle, more damaging risks could be launched. It has always been ‘how’ to get the hazards to spread out (worm-like, or social engineering) which is most challenging to them.

UK Email Security Breach Highlights Design Insecurities – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


In the online world the sheep get shorn, chumps get chewed, dupes get deceived, and pawns get pwned. We’ve seen another great example of this in the recent attack on the UK Parliament email system.

Rather than admit to an e-mail system that was insecure by design, the official declaration read:

Parliament has robust steps in place to safeguard all of our accounts and systems.

Tell us another one. The one protective procedure we did see at work was blame deflection – the Russians did it, that always works, while implicating the victims for their policy infractions. While information of the attack are limited, combing numerous sources does help to assemble a minimum of the gross outlines. If these descriptions are fairly close, the UK Parliament email system failings are atrocious.

What went wrong in this case?

Rely on single aspect authentication

“Password security” is an oxymoron – anything password protected alone is insecure, that’s it, irrespective of the strength of the password. Please, no 2FA here, might hinder attacks.

Do not enforce any limit on failed login attempts

Helped by single element authentication, this permits easy brute force attacks, no skill needed. But when violated, blame elite foreign hackers – nobody can confirm.

Do not carry out brute force violation detection

Allow opponents to perform (otherwise trivially noticeable) brute force attacks for prolonged periods (12 hours against the United Kingdom Parliament system), to maximize account compromise scope.

Do not implement policy, treat it as merely recommendations

Combined with single element authentication, no limitation on unsuccessful logins, and no brute force violation detection, do not impose any password strength validation. Provide attackers with really low hanging fruit.

Rely on unsigned, unencrypted e-mail for delicate communications

If opponents are successful in jeopardizing e-mail accounts or sniffing your network traffic, provide lots of opportunity for them to score high value message material entirely in the clear. This likewise conditions constituents to trust readily spoofable e-mail from Parliament, developing a perfect constituent phishing environment.

Lessons learned

In addition to adding “Good sense for Dummies” to their summer reading lists, the United Kingdom Parliament e-mail system administrators might want to take additional actions. Reinforcing weak authentication practices, implementing policies, improving network and endpoint visibility with constant tracking and anomaly detection, and totally reconsidering secure messaging are recommended actions. Penetration testing would have revealed these fundamental weak points while staying outside the news headlines.

Even a few intelligent high-schoolers with a totally free weekend might have replicated this attack. And lastly, stop blaming the Russians for your very own security failings. Assume that any weak points in your security architecture and policy structure will be penetrated and made use of by some cyber criminals somewhere throughout the global internet. Even more incentive to discover and fix those weak points before the hackers do, so get started immediately. And after that if your defenders don’t cannot see the attacks in progress, upgrade your tracking and analytics.

SysSecOps Will Enable IT And Security To Work Closer – Charles Leaver

Written By Charles Leaver Ziften CEO


It was nailed by Scott Raynovich. Having dealt with numerous companies he recognized that one of the most significant obstacles is that security and operations are two different departments – with drastically different goals, varying tools, and different management structures.

Scott and his expert firm, Futuriom, recently completed a study, “Endpoint Security and SysSecOps: The Growing Trend to Develop a More Secure Enterprise”, where one of the essential findings was that clashing IT and security goals hamper professionals – on both teams – from attaining their goals.

That’s exactly what we believe at Ziften, and the term that Scott created to speak about the convergence of IT and security in this domain – SysSecOps – explains perfectly exactly what we’ve been discussing. Security groups and the IT teams need to get on the exact same page. That indicates sharing the very same goals, and sometimes, sharing the same tools.

Think about the tools that IT individuals use. The tools are designed to make sure the infrastructure and end devices are working appropriately, when something fails, helps them repair it. On the end point side, those tools will make sure that devices that are allowed onto the network, are set up effectively, have software applications that are authorized and appropriately updated/patched, and haven’t recorded any faults.

Consider the tools that security folks use. They work to impose security policies on devices, infrastructure, and security devices (like firewall programs). This might involve active monitoring events, scanning for abnormal habits, analyzing files to ensure they don’t contain malware, adopting the current hazard intelligence, matching versus recently found zero-days, and carrying out analysis on log files.

Finding fires, battling fires

Those are 2 different worlds. The security teams are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the problem, and identify if harm happened (like data exfiltration). The IT teams are on-the-ground firefighters: They jump into action when an incident occurs to ensure that the systems are made safe and restored into operation.

Sounds excellent, doesn’t it? Sadly, all frequently, they don’t talk to each other – it resembles having the fire spotters and fire fighters utilizing dissimilar radios, different lingo, and dissimilar city maps. Worse, the teams cannot share the same data directly.

Our method to SysSecOps is to offer both the IT and security groups with the very same resources – which implies the same reports, provided in the suitable ways to experts. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry infection, for example. On one hand, Microsoft released a patch back in March 2017 that dealt with the underlying SMB flaw. IT operations teams didn’t install the patch, because they didn’t believe this was a big deal and didn’t talk with security. Security teams didn’t know if the patch was installed, because they don’t speak to operations. SysSecOps would have had everybody on the exact same page – and could have potentially avoided this issue.

Missing data indicates waste and risk

The dysfunctional gap between IT operations and security exposes companies to threats. Preventable risk. Unnecessary threats. It’s just inappropriate!

If your organization’s IT and security groups aren’t on the very same page, you are sustaining dangers and costs that you should not have to. It’s waste. Organizational waste. It’s wasteful since you have numerous tools that are offering partial data that have gaps, and each of your teams just sees part of the picture.

As Scott concluded in his report, “Collaborated SysSecOps visibility has actually currently proven its worth in helping companies assess, analyze, and prevent substantial threats to the IT systems and endpoints. If these goals are pursued, the security and management threats to an IT system can be greatly decreased.”

If your groups are collaborating in a SysSecOps sort of method, if they can see the exact same data at the same time, you not just have better security and more effective operations – however also lower risk and lower costs. Our Zenith software can assist you attain that effectiveness, not only dealing with your existing IT and security tools, but also completing the gaps to make sure everybody has the ideal data at the right time.

Detection Of WannaCry And Response To It Through Ziften And Splunk – Charles Leaver

Written by Joel Ebrahami and presented by Charles Leaver


WannaCry has created a lot of media attention. It might not have the huge infection rates that we have actually seen with much of the older worms, but in the current security world the amount of systems it was able to infect in a single day was still rather incredible. The objective of this blog is NOT to supply an in-depth analysis of the threat, however rather to look how the exploit acts on a technical level with Ziften’s Zenith platform and the combination we have with our innovation partner Splunk.

WannaCry Visibility in Ziften Zenith

My first action was to reach out to Ziften Labs hazard research study team to see exactly what details they could provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research team and notified me that they had samples of WannaCry presently running in our ‘Red Laboratory’ to take a look at the habits of the danger and perform more analysis. Josh sent me over the information of what he had actually discovered when analyzing the WannaCry samples in the Ziften Zenith console. He sent over those information, which I provide herein.

The Red Laboratory has systems covering all the most popular common os with various services and setups. There were already systems in the laboratory that were deliberately susceptible to the WannaCry exploit. Our international danger intelligence feeds utilized in the Zenith platform are upgraded in real-time, and had no trouble spotting the virus in our lab environment (see Figure 1).


2 lab systems have been determined running the harmful WannaCry sample. While it is terrific to see our global hazard intelligence feeds upgraded so quickly and recognizing the ransomware samples, there were other behaviors that we identified that would have recognized the ransomware threat even if there had actually not been a danger signature.

Zenith agents gather a vast quantity of information on what’s occurring on each host. From this visibility information, we create non-signature based detection methods to take a look at generally harmful or anomalous behaviors. In Figure 2 below, we reveal the behavioral detection of the WannaCry infection.


Investigating the Breadth of WannaCry Infections

Once detected either through signature or behavioral methods, it is very simple to see which other systems have likewise been contaminated or are exhibiting comparable behaviors.


Detecting WannaCry with Ziften and Splunk

After reviewing this information, I decided to run the WannaCry sample in my own environment on a susceptible system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was currently set up to integrate with Splunk. This permitted me to take a look at the very same data inside Splunk. Let me make it clear about the integration we have with Splunk.

We have 2 Splunk apps for Zenith. The first is our technology add on (TA): its function is to ingest and index ALL the raw data from the Zenith server that the Ziften agents create. As this information comes in it is massaged into Splunk’s Common Info Model (CIM) so that it can be stabilized and easily browsed as well as utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also includes Adaptive Response capabilities for taking actions from events that are rendered in Splunk ES. The 2nd app is a control panel for showing our information with all the graphs and charts offered in Splunk to allow absorbing the data a lot easier.

Since I currently had the details on how the WannaCry exploit acted in our research laboratory, I had the advantage of knowing exactly what to find in Splunk using the Zenith data. In this case I was able to see a signature alert by utilizing the VirusTotal integration with our Splunk app (see Figure 4).


Risk Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to wear my “incident responder hat” and investigate this in Splunk utilizing the Zenith agent information. My first idea was to search the systems in my lab for ones running SMB, since that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I understood that I would most likely find SMB data in the running procedure message type, however, I used Splunk’s * regex with the Zenith sourcetype so I could search all Zenith data. The resulting search looked like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).


My next action was to utilize the same behavioral search we have in Zenith that tries to find normal CryptoWare and see if I might get results back. Once again this was really simple to do from the Splunk search panel. I used the very same wildcard sourcetype as previously so I might browse throughout all Zenith data and this time I included the ‘delete shadows’ string search to see if this behavior was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned results, displayed in Figure 6, that revealed me in detail the process that was developed and the complete command line that was executed.


Having all this detail within Splunk made it extremely simple to identify which systems were susceptible and which systems had actually currently been jeopardized.

WannaCry Remediation Using Splunk and Ziften

Among the next steps in any type of breach is to remediate the compromise as fast as possible to prevent further destruction and to take action to prevent other systems from being jeopardized. Ziften is one of the Splunk founding Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to reduce these dangers through extensions on Zenith.


In the case of WannaCry we actually might have utilized practically any of the Adaptive Response actions currently readily available by Zenith. When attempting to reduce the effect and avoid WannaCry in the first place, one action that can take place is to shut down SMB on any systems running the Zenith agent where the version of SMB running is understood to be susceptible. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the vulnerable systems where we wanted to stop the SMB service, thus avoiding the exploit from ever taking place and permitting the IT Operations team to get those systems patched prior to beginning the SMB service once again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the case that we have already been jeopardized, it is critical to prevent more exploitation and stop the possible exfiltration of delicate information or company intellectual property. There are really three actions we might take. The very first 2 are similar where we might eliminate the malicious process by either PID (process ID) or by its hash. This works, but considering that often times malware will just spawn under a new process, or be polymorphic and have a different hash, we can use an action that is guaranteed to prevent any incoming or outgoing traffic from those contaminated systems: network quarantine. This is another example of an Adaptive Response action readily available from Ziften’s integration with Splunk ES.

WannaCry is currently reducing, however hopefully this technical blog post reveals the worth of the Ziften and Splunk integration in handling ransomware hazards against the endpoint.

Learn From This HVAC Breach And Become Security Paranoid – Charles Leaver

Written By Charles Leaver Ziften CEO


Whatever you do not ignore cybersecurity criminals. Even the most paranoid “regular” person wouldn’t fret about a source of data breaches being taken credentials from its heating, ventilation and a/c (HVAC) contractor. Yet that’s what happened at Target in November 2013. Hackers broke into Target’s network using qualifications given to the contractor, most likely so they could track the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And after that hackers had the ability to take advantage of the breach to spread malware into point-of-sale (POS) systems, then offload payment card details.

A variety of ludicrous errors were made here. Why was the HVAC professional provided access to the enterprise network? Why wasn’t the HVAC system on a separate, totally isolated network? Why wasn’t the POS system on a separate network? And so on.

The point here is that in a really complicated network, there are uncounted potential vulnerabilities that could be made use of through negligence, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You understand.

Whose job is it to find and fix those vulnerabilities? The security group. The CISO’s team. Security specialists aren’t “typical” people. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to anticipate the worst and prepare accordingly.

I cannot speak to the Target A/C breach specifically, however there is one frustrating reason why breaches like this happen: A lack of monetary priority for cyber security. I’m not exactly sure how often businesses fail to finance security just due to the fact that they’re inexpensive and would rather do a share buy back. Or possibly the CISO is too shy to request what’s required, or has actually been told that she gets a 5% increase, no matter the requirement. Maybe the CEO is worried that disclosures of big allowances for security will startle investors. Maybe the CEO is merely naïve enough to believe that the business will not be targeted by hackers. The problem: Every company is targeted by cyber criminals.

There are big competitions over spending plans. The IT department wants to finance upgrades and improvements, and attack the backlog of demand for new and improved applications. On the other side, you have operational managers who see IT jobs as directly assisting the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department frequently has to fight for crumbs. They are viewed as an expense center. Security decreases company threat in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who care about compliance and track records. These green-eyeshade individuals consider the worst case situations. That doesn’t make friends, and budget dollars are designated reluctantly at a lot of companies (till the company gets burned).

Call it naivety, call it established hostility, but it’s a genuine challenge. You cannot have IT provided fantastic tools to drive the enterprise forward, while security is starved and using second best.

Worse, you don’t want to end up in situations where the rightfully paranoid security groups are working with tools that don’t fit together well with their IT equivalent’s tools.

If IT and security tools do not mesh well, IT might not be able to rapidly act to react to dangerous circumstances that the security teams are keeping an eye on or are worried about – things like reports from threat intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that suggest risky or suspicious activity.

One idea: Discover tools for both departments that are developed with both IT and security in mind, right from the start, instead of IT tools that are patched to provide some minimal security capability. One budget plan item (take it out of IT, they have more money), but 2 workflows, one created for the IT professional, one for the CISO team. Everybody wins – and next time somebody wants to offer the HVAC specialist access to the network, maybe security will observe exactly what IT is doing, and head that disaster off at the pass.

Here Is What Ziften Can Do To Help You With WannaCry Ransomware – Charles Leaver

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has actually infected more than 300,000 computers in 150 countries so far by making use of vulnerabilities in Microsoft’s Windows os.
In this quick video Chief Data Scientist Dr. Al Hartmann and I discuss the nature of the attack, along with how Ziften can assist companies protect themselves from the vulnerability called “EternalBlue.”.

As discussed in the video, the issue with this Server Message Block (SMB) file-sharing service is that it’s on many Windows operating systems and found in a lot of environments. Nevertheless, we make it simple to determine which systems in your environment have actually or haven’t been patched yet. Significantly, Ziften Zenith can likewise from another location disable the SMB file-sharing service entirely, giving companies valuable time to make sure that those machines are properly patched.

If you’re curious about Ziften Zenith, our 20 minute demo consists of a consultation with our professionals around how we can assist your company prevent the worst digital catastrophe to strike the internet in years.