The Lightweight Solution To Endpoint Security – Chuck Leaver

Chuck Leaver Ziften CEO Presents A Post By CTO David Shefter

If you are a company with 5000 or more workers, it is most likely that your IT Security and Operations groups are overwhelmed with the degree of data they need to sift through for simply a small percentage of visibility about exactly what their users are doing on a recurring basis. Antivirus suites have actually been installed and they have actually shut down USB ports as well as enforced user access constraints, but the risk of cyber attacks and malware invasions still exists. What action do you take?

Approximately 72% of advance malware and cyber criminal intrusions happen in the endpoint environment, so says a Verizon Data Breach Report. Your company has to ask itself how essential its reputation is first. If you take Target as an example, it cost them over $ 6 Billion in market cap loss because of a malware attack. Sadly the modern world positions us constantly under attack from disgruntled or rogue employees, anarchists and other cyber wrongdoers. This situation is just likely worsen.

Your network is safeguarded by firewall software etc however you are not able to see what is occurring past the network switch port. The only real way to resolve this danger is by implementing a solution that works with and compliments current network based solutions that you have. Ziften (which is Dutch for “To Sift”) can offer this solution which offers “Open Visibility” with a lightweight approach. You need to handle the entire environment which includes servers, the network, desktops and so on. However you do not wish to place additional overheads and stress on your network. A significant Ziften commitment is that the solution will not have a negative impact on your environment, however it will offer a deeply impactful visibility and security solution.

The groundbreaking software from Ziften completely understands machine behavior and irregularities, enabling analysts to focus on sophisticated risks faster to minimize dwell time to a minimum. Ziften’s solution will continuously monitor activity at the endpoint, resource consumption, IP connections, user interactions etc. With the Ziften solution your organization will be able to figure out faster the source of any infiltration and repair the problem.

It is a light-weight solution that is not kernel or driver based, very little memory usage, there is little to no overhead at the system level and almost zero network traffic.

For driver and kernel based solutions there are intense accreditation requirements that can take longer than nine months. By the time the new software application is developed and baked, the OS could be at the next version of release. This is a time consuming, non-supportable and troublesome procedure.

The Ziften technique is a real differentiator in the market. The application of a really light weight and non invasive agent as well as implementing this as a system service, it gets rid of the tensions that a lot of new software solutions present at the endpoint. Ease of application results in faster times to market, easy support, scalability, and simple solutions that do not impede the user environment.

To summarize, with the existing level of cyber threats and the dangers of a cyber attack increasing every day that can severely stain your credibility, you need to execute constant monitoring of all your endpoint devices 24/7 to make sure that you have clear visibility of any endpoint security threats, gaps, or instabilities and Ziften can provide this to you.


Chuck Leaver – These Cyber Readiness Items Need To Be On Your List

Presented by Chuck Leaver, Chief Executive Officer Ziften Technologies Written By Dr Al Hartmann


1. Security Operations Center (SOC).

You have a Security Operations Center established that has 24/7 coverage either in company or outsourced or a combination. You do not desire any gaps in cover that could leave you open to infiltration. Handovers need to be formalized between watch supervisors, and appropriate handover reports provided. The supervisor will offer a summary daily, which provides information about any attack detections and defense countermeasures. If possible the cyber crooks need to be determined and differentiated by C2 infrastructure, attack method etc and codenames given to these. You are not trying to associate attacks here as this would be too difficult, but simply keeping in mind any attack activity patterns that correlate with different cyber lawbreakers. It is important that your SOC familiarizes themselves with these patterns and have the ability to separate attackers or perhaps spot new attackers.

2. Security Vendor Support Readiness.

It is not possible for your security workers to understand about all aspects of cyber security, nor have visibility of attacks on other organizations in the same market. You need to have external security support groups on standby which could include the following:.

( i) Emergency response group support: This is a list of providers that will respond to the most severe of cyber attacks that are headline material. You must ensure that one of these vendors is ready for a major threat, and they must receive your cyber security reports regularly. They should have legal forensic capabilities and have working relationships with law enforcement.

( ii) Cyber hazard intelligence support: This is a supplier that is gathering cyber risk intelligence in your vertical, so that you can take the lead when it concerns risks that are emerging in your vertical. This team needs to be plugged into the dark net searching for any indications of you organizational IP being pointed out or chats between hackers discussing your company.

( iii) IoC and Blacklist support: Due to the fact that this includes numerous areas you will need numerous vendors. This includes domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and indications of compromise (suspect config settings, pc registry keys and file paths, etc). It is possible that some of your installed security products for network or endpoint security can offer these, or you can designate a third party specialist.

( iv) Assistance for reverse engineering: A supplier that focuses on the analysis of binary samples and provides detailed reports of content and any possible hazard and also the family of malware. Your current security suppliers might provide this service and specialize in reverse engineering.

( v) Public relations and legal support: If you were to suffer a significant breach then you have to make sure that public relations and legal assistance remain in place so that your CEO, CIO and CISO do not end up being a case study for those studying at Harvard Business School to discover how not to deal with a major cyber attack.

3. Inventory of your assets, classification and preparedness for security.

You have to make sure that of your cyber assets go through an inventory, their relative worth classified, and implemented value proper cyber defences have been enacted for each asset category. Do not rely entirely on the assets that are known by the IT group, employ a company unit sponsor for asset identification particularly those hidden in the public cloud. Also ensure crucial management procedures are in place.

4. Attack detection and diversion readiness.

For each one of the major asset classifications you can produce reproductions using honeypot servers to lure cyber crooks to attack them and disclose their attack approaches. When Sony was infiltrated the hackers discovered a domain server that had a file named ‘passwords.xlsx’ which consisted of cleartext passwords for the servers of the business. This was a good ruse and you must use these tactics in enticing locations and alarm them so that when they are accessed alarms will sound instantly suggesting that you have an instant attack intelligence system in place. Modify these lures frequently so that they appear active and it doesn’t appear like an apparent trap. As a lot of servers are virtual, hackers will not be as prepared with sandbox evasion methods, as they would with client endpoints, so you may be lucky and actually see the attack occurring.

5. Monitoring preparedness and continuous visibilities.

Network and endpoint activity must be kept an eye on continuously and be made visible to the SOC team. Because a lot of client endpoints are mobile and therefore beyond the organization firewall software, activity at these endpoints should likewise be monitored. The monitoring of endpoints is the only certain approach to carry out process attribution for monitored network traffic, because protocol fingerprinting at the network level can not constantly be trusted (it can be spoofed by cyber crooks). Data that has been monitored should be conserved and archived for future reference, as a variety of attacks can not be identified in real time. There will be a requirement to rely upon metadata more regularly than on the capture of full packets, because that enforces a significant collection overhead. Nevertheless, a variety of dynamic risk based monitoring controls can lead to a low collection overhead, as well as react to major risks with more granular observations.