Increasing Numbers Of Connected Devices Will Present A Number Of Endpoint Challenges – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


It wasn’t long ago that everyone knew exactly what you meant if you raised the issue of an endpoint. If somebody wished to sell you an endpoint security solution, you understood exactly what devices that software was going to protect. But when I hear someone casually discuss endpoints today, The Princess Bride’s Inigo Montoya enters my mind: “You keep utilizing that word. I don’t believe it suggests what you believe it means.” Today an endpoint could be practically any type of device.

In truth, endpoints are so varied today that individuals have reverted to calling them “things.” According to Gartner at the end of 2016 there were over 6 billion “things” connected to the web. The consulting company forecasts that this number will grow to twenty one billion by the year 2020. Business uses of these things will be both generic (e.g. connected light bulbs and HVAC systems) and industry specific (e.g. oil rig security monitoring). For IT and security groups responsible for connecting and protecting endpoints, this is only half of the new difficulty, however. The acceptance of virtualization technology has actually redefined what an endpoint is, even in environments where these groups have generally run.

The last decade has seen a massive modification in the way end users gain access to information. Physical devices continue to be more mobile with many information employees now doing most of their computing and interaction on laptops and mobile phones. More significantly, everyone is becoming an info employee. Today, much better instrumentation and monitoring has permitted levels of data collection and analysis that can make the insertion of info-tech into practically any task successful.

At the same time, more traditional IT assets, especially servers, are becoming virtualized to remove a few of the traditional restrictions in having those assets tied to physical devices.

These two patterns together will impact security groups in essential ways. The totality of “endpoints” will consist of billions of long lived and unsecure IoT endpoints along with billions of virtual endpoint instances that will be scaled up and down as needed along with migrated to various physical places as needed.

Organizations will have really different concerns with these two general kinds of endpoints. Over their life times, IoT devices will need to be safeguarded from a host of risks some of which have yet to be dreamed up. Monitoring and safeguarding these devices will need advanced detection abilities. On the plus side, it will be possible to maintain distinct log data to make it possible for forensic examination.

Virtual endpoints, on the other hand, present their own important concerns. The ability to move their physical location makes it far more hard to guarantee right security policies are always attached to the endpoint. The practice of re-imaging virtual endpoints can make forensic investigation tough, as essential data is usually lost when a new image is used.

So no matter what word or phrases are used to describe your endpoints – endpoint, systems, client device, user device, mobile phone, server, virtual machine, container, cloud workload, IoT device, and so on – it is essential to understand precisely what someone suggests when they utilize the term endpoint.

Detection Is Crucial Post Compromise – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Avoidance Has Stopped working Then Detection Is Vital

The last scene in the well known Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night attack breaching the concertina wire border of an American Army battalion, overrunning it, and slaughtering the shocked protectors. The desperate company commander, comprehending their dire protective dilemma, orders his air support to strike his own position: “For the record, it’s my call – Dispose whatever you have actually got left on my position!” Minutes later on the battleground is immolated in a napalm hellscape.

Although physical dispute, this highlights 2 aspects of cybersecurity (1) You need to deal with inevitable perimeter breaches, and (2) It can be bloody hell if you do not discover early and react powerfully. MITRE Corporation has been leading the call for rebalancing cybersecurity priorities to place due focus on breach detection in the network interior instead of merely focusing on penetration prevention at the network perimeter. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and primary security officer. “Today, organizations are asking ‘What length of time have the trespassers been within? How far have they gone?'”.

Some call this the “assumed breach” approach to cybersecurity, or as posted to Twitter by F-Secure’s Chief Research Officer:.

Q: How many of the Fortune 500 are compromised – Answer: 500.

This is based upon the likelihood that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complex scale.

Shift the Burden of Perfect Execution from the Defenders to the Attackers.

The standard cybersecurity viewpoint, originated from the legacy border defense model, has actually been that the assailant just has to be right one time, while the defender needs to be right all the time. An adequately resourced and relentless attacker will eventually achieve penetration. And time to successful penetration decreases with increasing size and complexity of the target business.

A border or prevention reliant cyber defense model basically demands ideal execution by the protector, while ceding success to any adequately sustained attack – a plan for particular cyber catastrophe. For example, a leading cybersecurity red team reports successful enterprise penetration in under 3 hours in greater than 90% of their client engagements – and these white hats are restricted to ethical ways. Your enterprise’s black hat opponents are not so constrained.

To be feasible, the cyber defense technique must turn the tables on the hackers, moving to them the unattainable burden of ideal execution. That is the reasoning for a strong detection capability that constantly monitors endpoint and network habits for any unusual indications or observed enemy footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the hackers should exercise in committing their kill chain sequence, and the more time and labor and skill they must invest. The protectors need but observe a single assailant tramp to uncover their foot tracks and loosen up the attack kill chain. Now the protectors end up being the hunter, the hackers the hunted.

The MITRE ATT&CK Design.

MITRE provides a detailed taxonomy of hacker footprints, covering the post-compromise section of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project group leader Blake Strom says, “We chose to focus on the post attack period [portion of kill chain lined in orange below], not just because of the strong likelihood of a breach and the dearth of actionable information, but also because of the many opportunities and intervention points offered for efficient protective action that do not always rely on anticipation of adversary tools.”




As displayed in the MITRE figure above, the ATT&CK model offers additional granularity on the attack kill chain post compromise phases, breaking these out into 10 strategy classifications as shown. Each strategy classification is additionally detailed into a list of methods an attacker might utilize in carrying out that tactic. The January 2017 design update of the ATT&CK matrix lists 127 techniques throughout its ten strategy categories. For instance, Computer registry Run Keys/ Start Folder is a method in the Perseverance classification, Brute Force is a technique in the Credentials category, and Command-Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) solutions, such as Ziften supplies, use vital visibility into attacker usage of strategies noted in the ATT&CK design. For instance, Computer system registry Run Keys/ Start Folder method use is reported, as is Command-Line Interface usage, since these both include easily observable endpoint behavior. Strength usage in the Qualifications classification must be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR product can report events such as failed login attempts, where an attacker might have a couple of guesses to attempt this, while staying under the account lockout attempt limit.

For mindful protectors, any method usage might be the attack giveaway that unravels the entire kill chain. EDR solutions compete based on their method observation, reporting, and signaling capabilities, in addition to their analytics capability to perform more of the attack pattern detection and kill chain reconstruction, in support of protecting security analysts staffing the enterprise SOC. Here at Ziften we will detail more of EDR solution capabilities in support of the ATT&CK post compromise detection design in future blog posts in this series.

The Buzz From RSA 2017 Is That Enterprises Demand Tailored Security Solutions – Charles Leaver

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO


More tailored products are required by security, network and operational groups in 2017

A number of us have actually participated in security conventions over the years, but none bring the same high level of enjoyment as RSA – where security is talked about by the world. Of all the conventions I have attended and worked, absolutely nothing comes close the passion for brand-new innovation people displayed this previous week in downtown San Francisco.

After taking a couple of days to digest the lots of discussions about the requirements and restrictions with existing security tech, Ihave actually been able to synthesize a particular theme amongguests: Individuals want personalized solutions that fit their environment and work well throughout several internal groups.

When I describe the term “individuals,” I mean everyone in attendance regardless of technological section. Operational professionals, security pros, network veterans, as well as user habits analysts frequented the Ziften booth and shared their stories with us.

Everybody seemed more prepared than ever to discuss their wants and needs for their environment. These guests had their own set of objectives they wanted to attain within their department and they were hungry for answers. Since the Ziften Zenith service offers such broad visibility on business devices, it’s not unexpected that our booth stayed crowded with individuals eager to read more about a brand-new, refreshingly easy endpoint security innovation.

Attendees featured grievances about myriad enterprise centric security concerns and looked for deeper insight into exactly what’s truly taking place on their network and on devices traveling in and out of the office.

End users of old-school security solutions are on the look
out for a more recent, more essential software.

If I could choose just one of the regular questions I received at RSA to share, it’s this one:

” What exactly is endpoint discovery?”

1) Endpoint discovery: Ziften exposes a historical view of unmanaged devices which have been connected to other business endpoints at some
time. Ziften allows users to find recognized and unidentified entities which are active or have actually been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften utilizes our extension platform to
expose these unknown entities working on the network.

b. Extensions: These are custom-fit services customized to the user’s particular desires and requirements. The Ziften Zenith agent can execute the designated extension one time, on a schedule or on a continuous basis.

Almost always after the above explanation came the genuine factor they were going to:

People are looking for a large range of options for different departments, which includes executives. This is where working at Ziften makes answering this question a real treat.

Only a part of the RSA guests are security experts. I spoke with dozens of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They clearly all use and understand the need for quality security software however relatively find the translation to business worth missing out among security vendors.

NetworkWorld’s Charles Araujo phrased the problem quite well in a post last week:

Businesses must also rationalize security data in a service context and manage it holistically as part of the general IT and company operating design. A group of suppliers is likewise trying to tackle this challenge …

Ziften was among only three businesses mentioned.

After paying attention to those wants and needs of individuals from different business critical backgrounds and discussing to them the abilities of Ziften’s Extension platform, I typically explained how Ziften would regulate an extension to fulfill their need, or I gave them a short demo of an extension that would enable them to overcome a difficulty.

2) Extension Platform: Customized, actionable options.

a. SKO Silos: Extensions based on fit and need (operations, network, endpoint, etc).

b. Customized Requests: Require something you can’t see? We can fix that for you.

3) Boosted Forensics:

a. Security: Risk management, Danger Assessment, Vulnerabilities, Metadata that is suspicious.

b. Operations: Compliance, License Justification, Unmanaged Assets.

c. Network: Ingress/Egress IP motion, Domains, Volume metadata.

4) Visibility within the network– Not simply exactly what enters and goes out.

a. ZFlow: Lastly see the network traffic inside your enterprise.

Needless to say, everybody I talked to in our booth quickly comprehended the critical benefit of having a tool such as Ziften Zenith running in and throughout their business.

Forbes writer, Jason Bloomberg, said it best when he recently explained the future of enterprise security software and how all signs point toward Ziften blazing a trail:

Possibly the broadest interruption: suppliers are improving their ability to understand how bad actors act, and can thus take steps to prevent, identify or mitigate their malicious activities. In particular, today’s vendors understand the ‘Cyber Kill Chain’ – the actions a skilled, patient hacker (understood in the biz as an innovative persistent threat, or APT) will require to accomplish his/her nefarious objectives.

The product of U.S. Defense professional Lockheed Martin,
The Cyber Kill Chain contains seven links: reconnaissance, weaponization, shipment, exploitation, installation, developing command and control, and actions on objectives.

Today’s more ingenious vendors target several of these links, with the goal of avoiding, finding or mitigating the attack. Five suppliers at RSA stood apart in this category.

Ziften offers an agent based  technique to tracking the behavior of users, devices, applications, and network aspects, both in real time in addition to throughout historical data.

In real time, analysts utilize Ziften for hazard recognition and avoidance,
while they use the historic data to uncover steps in the kill chain for mitigation and forensic purposes.

Read This To Ensure That Operational Problems Do Not Become Security Issues – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Return to Essentials With Hygiene And Avoid Serious Problems

When you were a kid you will have been taught that brushing your teeth effectively and flossing will avoid the need for pricey crowns and root canal procedures. Basic health is way simpler and far cheaper than neglect and disease. This same lesson applies in the realm of enterprise IT – we can run a sound operation with correct endpoint and network hygiene, or we can deal with mounting security problems and disastrous data breaches as lax hygiene extracts its difficult toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften supply analytic insight into system operation across the enterprise endpoint population. They likewise supply endpoint-derived network operation insights that substantially broaden on wire visibility alone and extend into virtual and cloud environments. These insights benefit both security and operations groups in considerable ways, given the considerable overlap between functional and security issues:

On the security side, EDR tools offer critical situational awareness for event response. On the functional side, EDR tools provide vital endpoint visibility for functional control. Important situational awareness demands a baseline understanding of endpoint population running norms, which comprehending facilitates correct operational control.

Another method to explain these interdependencies is:

You cannot protect what you do not manage.
You cannot control what you don’t measure.
You can’t measure what you do not track.

Managing, measuring, and monitoring has as much to do with the security role as with the functional role, do not aim to split the child. Management indicates adherence to policy, that adherence must be measured, and operational measurements constitute a time series that must be tracked. A few sporadic measurements of important dynamic time series lacks interpretive context.

Tight security does not make up for lax management, nor does tight management compensate for lazy security. [Check out that once more for emphasis.] Mission execution imbalances here lead to unsustainable ineffectiveness and scale obstacles that inevitably cause significant security breaches and operational shortages.

Areas Of Overlap

Substantial overlaps between functional and security problems consist of:

Configuration hardening and basic images
The group policy
Application control and cloud management
Network division and management
Security of data and file encryption
Asset management and device restoration
Mobile device management
Log management
Backups and data restoration
Vulnerability and patch management
Identity management
Management of access
Employee continual cyber awareness training

For instance, asset management and device restore as well as backup and data restore are most likely operational group responsibilities, however they end up being significant security problems when ransomware sweeps the enterprise, bricking all devices (not just the typical endpoints, but any network connected devices such as printers, badge readers, security cams, network routers, medical imaging devices, commercial control systems, etc.). Exactly what would your business response time be to reflash and revitalize all device images from scratch and restore their data? Or is your contingency plan to immediately stuff the attackers’ Bitcoin wallets and hope they haven’t exfiltrated your data for further extortion and monetization. And why would you offload your data restoration obligation to a criminal syndicate, blindly trusting in their perfect data restoration integrity – makes absolutely zero sense. Operational control responsibility rests with the business, not with the opponents, and may not be shirked – shoulder your duty!

For another example, standard image construction using best practices setup hardening is clearly a joint responsibility of operations and security staff. In contrast to inefficient signature based endpoint protection platforms (EPP), which all large business breach victims have actually long had in place, setup hardening works, so bake it in and continuously revitalize it. Likewise consider the needs of business personnel whose job function needs opening of unsolicited email attachments, such as resumes, billings, legal notices, or other required files. This must be done in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, however operations staff will be imaging the endpoints and supporting the workers. These are shared duties.

Example Of Overlap:

Use a safe environment to detonate. Do not utilize production endpoints for opening unsolicited but needed email files, like resumes, invoices, legal notices, and so on

Focus Limited Security Resources on the Tasks Only They Can Perform

A lot of big businesses are challenged to successfully staff all their security functions. Left unaddressed, deficiencies in functional efficiency will burn out security staff so quickly that security functions will constantly be understaffed. There won’t be enough fingers on your security group to jam in the increasing holes in the security dike that lax or inattentive endpoint or network or database management produces. And it will be less hard to staff operational roles than to staff security roles with gifted analysts.

Transfer routine formulaic activities to operations personnel. Focus restricted security resources on the jobs just they can carry out:

Security Operations Center (SOC) staffing
Preventative penetration screening and red teaming
Reactive occurrence response and forensics
Proactive attack searching (both insider and external).
Security oversight of overlapping functional functions (ensure existing security frame of mind).
Security policy advancement and stake holder buy-in.
Security architecture/tools/methodology design, selection, and development.

Impose disciplined operations management and focus limited security resources on vital security roles. Then your business might prevent letting operations concerns fester into security issues.

Buzz Established By Security Fabric At This Year’s Fortinet Accelerate Conference – Charles Leaver

Written By Josh Applebaum And Presented By Ziften CEO Charles Leaver

The Fortinet Accelerate 2017 conference was held recently in Las Vegas. Ziften has sponsored Fortinet’s yearly International Partner Conference for the second time, and it was a pleasure to be there! The energy at the show was palpable, and this was not due to the energy beverages you constantly see individuals carrying around in Las Vegas. The buzz and energy was contributed by an essential theme throughout the week: the Fortinet Security Fabric.

The premise of Fortinet’s Security Fabric is basic: take the disparate security “point items” that a company has released, and link them to utilize the deep intelligence each product has in their own security vault to supply a combined end to end security blanket over the whole organization. Though Fortinet is usually considered a network security business, their method to supplying a total security solution spans more than the traditional network to include endpoints, IoT devices, in addition to the cloud. By exposing APIs to the Fabric Ready partners as well as allowing the exchange of actionable risk intelligence, Fortinet is opening the door for a more collective strategy throughout the whole security industry.

It is revitalizing to see that Fortinet has the exact same beliefs as we have at Ziften, which is that the only way that we as a market are going to catch up to (and exceed) the hackers is through combination and cooperation across all reaches of security, despite which supplier provides each element of the total solution. This is not a problem we are going to resolve on our own, however rather one that will be solved through a combined method like the one set out by Fortinet with their Security Fabric. Ziften is proud to be an establishing member of Fortinet’s Fabric Ready Alliance program, integrating our special approach to endpoint security with Fortinet’s “think different” mindset of exactly what it suggests to incorporate and work together.

Throughout the week, Fortinet’s (really enthusiastic) channel partners had the chance to walk the program floor to see the incorporated solutions offered by the various innovation partners. Ziften showcased their integrations with Fortinet, containing the combination of our service with Fortinet’s FortiSandbox.

The Ziften solution collects unknown files from endpoints (clients or servers running OS X, Linux or Windows) and submits them to the FortiSandbox for analysis and detonation. Results are instantly fed back into Ziften for notifying, reporting, and (if possible) automated mitigation actions.

It was exciting to see that the Fortinet channel partners clearly got the worth of a Security Fabric approach. It was clear to them, along with Ziften, that the Security Fabric is not a marketing trick, however rather a genuine strategy assembled by, and led by, Fortinet. While this is only the beginning of Fortinet’s Security Fabric story, Ziften is delighted to collaborate with Fortinet and view the story continue to unfold!

2017 Will Bring Three Tiers Of Cyber Espionage – Charles Leaver

Written By Jesse Sampson And Presented By Ziften CEO Charles Leaver


There is a lot of debate at the moment about the hacking threat from Russia and it would be simple for security specialists to be excessively worried about cyber espionage. Since the objectives of any cyber espionage campaign dictate its targets, Ziften Labs can assist answer this concern by diving into the reasons why states perform these projects.

Last Friday, the 3 major United States intelligence agencies launched a detailed statement on the activities of Russia related to the 2016 United States elections: Examining the Activities of Russia and Intentions in Current United States Elections (Activities and Intentions). While some doubters stay unsure by the brand-new report, the threats recognized by the report that we cover in this post are engaging adequate to require examination and realistic countermeasures – in spite of the near impossibility of incontrovertibly identifying the source of the attack. Naturally, the main Russian position has actually been winking rejection of hacks.

“Normally these type of leakages occur not due to the fact that cyber criminals broke in, however, as any specialist will inform you, since someone just forgot the password or set the easy password 123456.” German Klimenko, Putin’s leading Web adviser

While agencies get criticized for bureaucratic language like “high confidence,” the considered rigor of instructions like Activities and Intents contrasts with the headline-friendly “1000% certainty” of a mathematically disinclined media hustler like Julian Assange.

Activities and Intentions is most perceptive when it locates the use of hacking and cyber espionage in “multifaceted” Russian doctrine:

” Moscow’s use of disclosures throughout the United States election was unmatched, but its influence campaign otherwise followed a longstanding Russia messaging strategy that blends concealed intelligence operations – such as cyber activity – with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls.”

The report is weakest when assessing the motives behind the doctrine, a.k.a. method. Apart from some incantations about intrinsic Russian hostility to the liberal democratic order, it declares that:.

” Putin most likely wanted to reject Secretary Clinton because he has actually openly blamed her since 2011 for inciting mass protests against his regime in late 2011 and early 2012, and because he deeply resents comments he almost certainly viewed as disparaging him.”.

A more nuanced assessment of Russian inspiration and their cyber manifestations will assist us much better determine security strategy in this environment. Ziften Labs has determined three major tactical imperatives at work.

First, as Kissinger would say, through history “Russia came to see itself as a beleaguered outpost of civilization for which security could be found just through applying its absolute will over its next-door neighbors (52)”. US policy in the William Clinton era threatened this notion to the growth of NATO and dislocating financial interventions, maybe contributing to a Russian choice for a Trump presidency.

Russia has actually utilized cyberwarfare methods to secure its influence in previous Soviet areas (Estonia, 2007, Georgia, 2008, Ukraine, 2015).

Second, President Putin desires Russia to be a great force in geopolitics again. “Above all, we should acknowledge that the demise of the Soviet Union was a major geopolitical disaster of the century,” he said in 2005. Hacking identities of popular individuals in political, academic, defense, technology, and other institutions that operatives might leak to embarrassing or outrageous effect is a simple method for Russia to reject the US. The understanding that Russia can affect election results in the US with a keystroke calls into question the authenticity of US democracy, and muddles discussion around similar issues in Russia. With other prestige boosting efforts like pioneering the ceasefire talks in Syria (after leveling numerous cities), this technique could enhance Russia’s global profile.

Lastly, President Putin may harbor issues about his job security. In spite of very favorable election outcomes, in accordance with Activities and Intentions, protests in 2011 and 2012 still loom large in his mind. With several regimes altering in his neighborhood in the 2000s and 2010s (he said it was an “epidemic of disintegration”), some of which came about as a result of intervention by NATO and the United States, President Putin watches out for Western interventionists who wouldn’t mind a similar outcome in Russia. A collaborated campaign could assist challenge rivals and put the least aggressive candidates in power.

Due to these factors for Russian hacking, who are the most likely targets?

Due to the overarching goals of discrediting the legitimacy of the United States and NATO and assisting non interventionist candidates where possible, government agencies, particularly those with roles in elections are at greatest risk. So too are campaign agencies and other NGOs close to politics like think tanks. These have provided softer targets for hackers to access to sensitive info. This indicates that organizations with account info for, or access to, popular people whose details could result in humiliation or confusion for United States political, company, academic, and media institutions need to be extra careful.

The next tier of danger comprises crucial infrastructure. While recent Washington Post reports of a compromised US electrical grid ended up being overblown, Russia truly has hacked power grids and perhaps other parts of physical infrastructure like gas and oil. Beyond vital physical infrastructure, innovation, finance, telecoms, and media could be targeted as took place in Georgia and Estonia.

Lastly, although the intelligence agencies work over the past weeks has actually caught some heat for providing “apparent” suggestions, everybody really would gain from the pointers presented in the Homeland Security/FBI report, and in this blog about hardening your setup by Ziften’s Dr Al Hartmann. With significant elections coming up this year in critical NATO members the Netherlands, Germany and France, only one thing is guaranteed: it will be a busy year for Russian cyber operators and these recs should be a leading priority.

Your IT Security Starts With Asset Identification and Management – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


Trustworthy IT asset management and discovery can be a network and security admin’s best friend.

I don’t need to inform you the apparent; we all understand a great security program begins with an audit of all the devices linked to the network. However, maintaining an existing inventory of every linked device used by workers and service partners is challenging. Much more challenging is making sure that there are no connected un-managed assets.

What is an Unmanaged Asset?

Networks can have countless connected devices. These might consist of the following to name a few:

– User devices such as laptops, desktop PC’s, workstations, virtual desktop systems, bring your own devices (BYOD), smart phones, and tablet devices.

– Cloud and Data center devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.

– Networking devices such as switches, load balancers, firewalls, switches, and WiFi access points.

– Other devices such as printers, and more just recently – Internet of things (IoT) devices.

Unfortunately, a number of these connected devices might be unidentified to IT, or not managed by IT group policies. These unidentified devices and those not handled by IT policies are described as “unmanaged assets.”

The number of unmanaged assets continues to increase for numerous companies. Ziften discovers that as many as 30% to 50% of all connected devices could be unmanaged assets in today’s business networks.

IT asset management tools are typically optimized to identify assets such as PCs, servers, load balancers, firewalls, and devices for storage utilized to deliver business applications to organization. Nevertheless, these management tools usually disregard assets not owned by the organization, such as BYOD endpoints, or user-deployed wireless access points. A lot more uncomfortable is that Gartner asserts in “Beyond BYOD to IoT, Your Business Network Access Policy Should Change”, that IoT devices have gone beyond staff members and guests as the most significant user of the enterprise network.1.

Gartner goes on to explain a new pattern that will introduce even more un-managed assets into the business environment – bring your own things (BYOT).

Essentially, staff members bringing items which were created for the clever home, into the office environment. Examples include smart power sockets, smart kettles, smart coffee makers, wise light bulbs, domestic sensors, wireless webcams, plant care sensors, environmental controls, and ultimately, home robotics. Many of these things will be brought in by staff looking to make their working environment more congenial. These “things” can pick up information, can be managed by apps, and can communicate with cloud services.1.

Why is it Essential to Identify Unmanaged Assets?

Quite simply, unmanaged assets develop IT and security blind spots. Mike Hamilton, SVP of Product at Ziften said, “Security starts with knowing exactly what physical and virtual devices are linked to the business network. But, BYOD, shadow IT, IoT, and virtualization are making that more tough.”.

These blind spots not just increase security and compliance threats, they can increase legal risk. Info retention policies designed to limit legal liability are not likely to be applied to electronically stored information consisted of on unapproved virtual, mobile and cloud assets.

Maintaining an updated inventory of the assets on your network is important to excellent security. It’s common sense; if you have no idea it exists, you cannot understand if it is protected. In fact, asset visibility is so crucial that it is a foundational part of the majority of info security infrastructures including:

– SANS Important Security Controls for reliable cyber defense: Developing an inventory of licensed and unauthorized devices is primary on the list.

– Council on CyberSecurity Vital Security Controls: Producing a stock of licensed and unapproved devices is the very first control in the focused list.

– NIST Info Security Constant Tracking for Federal Info Systems and Organizations – SP 800-137: Info security constant tracking is defined as preserving continuous awareness of info security, vulnerabilities, and threats to support organizational danger management decisions.

– ISO/IEC 27001 Info Management Security System Requirements: The standard needs that assets be clearly identified and a stock of very important assets be drawn up and preserved.

– Ziften’s Adaptive Security Structure: The very first pillar includes discovery of all your authorized and unapproved physical and virtual devices.

Considerations in Evaluating Asset Discovery Solutions.

There are multiple strategies utilized for asset discovery and network mapping, and each of the methods have benefits and downsides. While examining the myriad tools, keep these two essential considerations in mind:.

Continuous versus point-in-time.

Strong information security needs continuous asset identification no matter exactly what approach is used. Nevertheless, lots of scanning techniques used in asset discovery require time to finish, and are hence performed occasionally. The downside to point-in-time asset identification is that short-term systems might only be on the network for a short time. Therefore, it is extremely possible that these transient systems will not be found.

Some discovery methods can activate security notifications in network firewall software, invasion detection systems, or infection scanning tools. Because these methods can be disruptive, discovery is just executed at routine, point-in-time intervals.

There are, however, some asset discovery strategies that can be used continually to locate and recognize linked assets. Tools that provide constant monitoring for un-managed assets can provide much better unmanaged asset discovery results.

” Since passive detection runs 24 × 7, it will identify temporal assets that may only be sometimes and briefly linked to the network and can send out alerts when brand-new assets are identified.”.

Passive versus active.

Asset identification tools provide intelligence on all found assets including IP address, hostname, MAC address, device manufacturer, as well as the device type. This innovation helps operations teams quickly tidy up their environments, getting rid of rogue and unmanaged devices – even VM proliferation. However, these tools go about this intelligence gathering in a different way.

Tools that utilize active network scanning successfully probe the network to coax reactions from devices. These actions offer ideas that help identify and finger print the device. Active scanning periodically examines the network or a section of the network for devices that are connected to the network at the time of the scan.

Active scanning can normally supply more thorough analysis of vulnerabilities, malware detection, and configuration and compliance auditing. Nevertheless, active scanning is performed periodically because of its disruptive nature with security infrastructure. Regrettably, active scanning risks missing out on transient devices and vulnerabilities that occur in between scheduled scans.

Other tools utilize passive asset identification techniques. Because passive detection operates 24 × 7, it will discover temporal assets that may only be sometimes and briefly connected to the network and can send notifications when new assets are found.

In addition, passive discovery does not disturb sensitive devices on the network, such as commercial control systems, and enables visibility of Internet and cloud services being accessed from systems on the network. Further passive discovery methods prevent triggering notifications on security tools throughout the network.


BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT imply more and more assets on to the organization network. Unfortunately, much of these assets are unknown or unmanaged by IT. These unmanaged assets present serious security holes. Eliminating these un-managed assets from the network – which are much more most likely to be “patient zero” – or bringing them up to business security standards significantly reduces a company’s attack surface area and general risk. Fortunately is that there are solutions that can provide constant, passive discovery of un-managed assets.


Don’t Just Rely On Your Enterprise Antivirus – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Dwindling Efficiency of Business Anti-virus?

Google Security Master Labels Antivirus Apps As Inadequate ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Charged with investigation of highly sophisticated attacks, consisting of the 2009 Operation Aurora project, Bilby lumped organization anti-virus into a collection of inadequate tools set up to tick a compliance check box, but at the expenditure of real security:

We need to stop investing in those things we have shown are not effective… Anti-virus does some useful things, however in reality, it is more like a canary in a coal mine. It is worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it inhaled all the toxic gas.

Google security experts aren’t the very first to weigh in against organization antivirus, or to draw uncomplimentary analogies, in this case to a dead canary.

Another highly skilled security group, FireEye Mandiant, compared static defenses such as business anti-virus to that infamously failed World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are quick becoming an antique in today’s hazard landscape. Organizations invest billions of dollars each year on IT security. However hackers are easily outflanking these defenses with smart, fast moving attacks.

An example of this was given by a Cisco managed security services executive speaking at a conference in Poland. Their team had actually identified anomalous activity on one of their business customer’s networks, and reported the presumed server compromise to the customer. To the Cisco team’s awe, the customer simply ran an anti-virus scan on the server, found no detections, and positioned it back into service. Frightened, the Cisco group conferenced in the customer to their monitoring console and had the ability to show the assailant carrying out a live remote session at that very moment, total with typing mistakes and reissue of commands to the jeopardized server. Finally encouraged, the customer took the server down and completely re-imaged it – the organization antivirus had been an useless diversion – it had actually not served the customer and it had actually not deterred the cyber attack.

So Is It Time to Get Rid Of Enterprise Antivirus Now?

I am not yet ready to declare an end to the age of business antivirus. However I know that businesses have to buy detection and response abilities to match conventional antivirus. However increasingly I wonder who is complementing whom.

Skilled targeted hackers will always successfully evade antivirus defenses, so versus your greatest cyber dangers, enterprise anti-virus is basically ineffective. As Darren Bilby specified, it does do some beneficial things, but it does not supply the endpoint defense you require. So, do not let it distract you from the highest concern cyber-security financial investments, and don’t let it distract you from security measures that do essentially help.

Shown cyber defense steps include:

Setup hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Constant network and endpoint tracking, consistent vigilance.

Strong encryption and data security.

Personnel education and training.

Continuous hazard re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of business anti-virus, none of the above bullets are ‘magic’. They are simply the ongoing effort of adequate enterprise cyber-security.

Cyber Attacks Can Be Prevented If You Take These Actions – Charles Leaver

Written By Charles Leaver CEO Ziften


No company, however small or big, is resistant from a cyberattack. Whether the attack is started from an external source or from an insider – no organization is fully protected. I have lost count of the number of times that executives from organizations have said to me, “why would anybody want to attack us?”

Cyberattacks Can Take Lots of Forms

The expansion of devices that can connect to organization networks (laptop computers, smart phones and tablets) suggest an increased threat of security vulnerabilities. The objective of a cyberattack is to make use of those vulnerabilities.


Among the most typical cyberattack methods is making use of malware. Malware is code that has a harmful intent and can consist of viruses, Trojans and worms. The objective with malware is typically to steal sensitive data or even ruin computer networks. Malware is often in the type of an executable file that will spread throughout your network.

Malware is ending up being a lot more sophisticated, and now there is rogue malware that will masquerade itself as genuine security software that has actually been designed to protect your network.

Phishing Attacks

Phishing attacks are likewise common. Frequently it’s an email that is sent out from a supposedly “trusted authority” asking that the user supply personal data by clicking a link. Some of these phishing emails look extremely genuine and they have fooled a great deal of users. If the link is clicked and data input the information will be stolen. Today an increasing number of phishing e-mails can include ransomware.

Password Attacks

A password attack is among the simplest types of cyber attacks. This is where an unauthorized third party will try to get to your systems by “cracking” the login password. Software applications can be utilized here to carry out brute force attacks to predict passwords, and mix of words utilized for passwords can be compared using a dictionary file.

If an attacker gains access to your network through a password attack then they can quickly introduce malicious malware and trigger a breach of your sensitive data. Password attacks are one of the simplest to avoid, and rigorous password policies can provide an extremely reliable barrier. Altering passwords frequently is likewise advised.

Denial of Service

A Denial of Service (DoS) attack is all about causing maximum disturbance of the network. Attackers will send out really high amounts of traffic through the network and normally make lots of connection requests. The result is an overload of the network and it will shut down.

Multiple computer systems can be used by cyber attackers in DoS attacks that will create very significant levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets versus Krebs On Security. On a regular basis, endpoint devices connected to the network such as PC’s and laptop computers can be hijacked and will then contribute to the attack. If a DoS attack is experienced, it can have major effects for network security.

Man in the Middle

Man in the middle attacks are accomplished by impersonating endpoints of a network during an information exchange. Details can be stolen from the end user or even the server that they are interacting with.

How Can You Completely Avoid Cyber Attacks?

Complete avoidance of a cyber attack is impossible with present innovation, but there is a lot that you can do to protect your network and your sensitive data. It is essential not to believe that you can just purchase and install a security software application suite then sit back. The more sophisticated cyber lawbreakers understand all of the security software systems in the marketplace, and have actually designed approaches to get around the safeguards that they provide.

Strong and frequently changed passwords is a policy that you need to adopt, and is among the easiest safeguards to put in place. The encryption of your delicate data is another no-brainer. Beyond setting up antivirus and malware defense suites in addition to a good firewall software program, you ought to make sure that routine backups remain in place and also you have a data breach event response/remediation strategy in case the worst takes place. Ziften helps businesses continuously monitor for threats that might get through their defenses, and take action right away to get rid of the threat completely.

To Avoid Security And Compliance Nightmares Do This Before Cloud Migration – Charles Leaver

Written By Logan Gilbert And Posted By Charles Leaver Ziften CEO


Fears Over Compliance And Security Keep Companies From Cloud Migration

Migrating parts of your IT operations to the cloud can appear like a big chore, and an unsafe one at that. Security holes, compliance record keeping, the danger of introducing errors into your architecture … cloud migration provides a great deal of hairy issues to deal with.

If you’ve been wary about moving, you’re not alone – however aid is on the way.

When Evolve IP surveyed 1,000+ IT pros previously this year for their Adoption of Cloud Services North America report, 55 percent of those polled said that security is their biggest issue about cloud adoption. For organizations that do not currently have some cloud existence, the number was even greater – 70%. The next biggest barrier to cloud adoption was compliance, mentioned by 40 percent of respondents. (That’s up eleven percent this year.).

However here’s the larger problem: If these concerns are keeping your company from the cloud, you can’t make the most of the efficiency and expense advantages of cloud services, which ends up being a tactical impediment for your whole organization. You require a method to move that likewise answers issues about security, compliance, and operations.

Improved Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility comes in. Being able to see what’s going on with every endpoint gives you the visibility you need to enhance security, compliance, and functional efficiency when you migrate your data center to the cloud.

And I mean any endpoint: desktop computer, laptop computer, mobile phone, server, VM, or container.

As a long period of time IT professional, I comprehend the temptation to think you have more control over your servers when they’re secured in a closet and you’re the one who holds the keys. Even when you understand that segments of your environment rely on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your very own data center – unlike when you remain in the cloud – you can utilize network taps and a whole host of tracking tools to look at traffic on the wire, figure out a good deal about who’s talking to whom, and repair your problems.

But that level of info fades in comparison to endpoint visibility, in the data center or in the cloud. The granularity and control of Ziften’s solution offers you a lot more control than you could ever get with a network tap. You can discover malware and other problems anywhere (even off your network), isolate them instantly, then track them back to whichever user, application, device, or procedure was the weak link in the chain. Ziften provides the capability to carry out look back forensics and to rapidly repair problems in much less time.

Removing Your Cloud Migration Nightmares.

Endpoint visibility makes a huge difference anytime you’re ready to move a segment of your environment to the cloud. By evaluating endpoint activity, you can develop a baseline stock of your systems, clean out unmanaged assets such as orphaned VMs, and hunt down vulnerabilities. That gets all assets protected and steady within your own data center prior to your move to a cloud service provider like AWS or Azure.

After you have actually moved to the cloud, ongoing visibility into each application, device and user suggests that you can administer all parts of your infrastructure more effectively. You prevent wasting resources by preventing VM expansion, plus you have an in-depth body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance guidelines.

When you’re ready to move to the cloud, you’re not destined to weak security, insufficient compliance, or functional SNAFUs. Ziften’s technique to endpoint security gives you the visibility you need for cloud migration without the headaches.